BLACK BOX EXCEPTIONAL GROUPS OF LIE TYPE 



W. M. KANTOR AND K. MAGAARD 

Abstract. If a black box group is known to be isomorphic to an exceptional 
simple group of Lie type of (twisted) rank > 1, other than any 2 F4,(q), over a 
field of known size, a Las Vegas algorithm is given to produce a constructive 
isomorphism. In view of its timing, this algorithm yields an upgrade of all 
known nearly linear time Monte Carlo permutation group algorithms to Las 
Vegas algorithms when the input group has no composition factor isomorphic 
to any group 2 F4,(q) or 2 G2(q). 

1. Introduction 

In a number of algorithmic settings it is essential to take a permutation group 
or matrix group that is known (probably) to be simple and produce an explicit 
isomorphism with an explicitly defined simple group, such as a group of matrices 
( [LGMKSTl IKa3j contain background on this and many related questions). This has 
been accomplished for the much more general setting of black box classical groups 
in [KS H iBrll lBr2l lBr3l iBrKll lBrK2l ILMO] (starting w ith the g roups PSL(d, 2) in 
|CFLj ). Black box alternating groups are dealt with in [BLNPSj ■ In this paper we 
consider this identification question for black box exceptional groups of Lie type. 
Note that the name of the group can be found quickly using Monte Carlo algorithms 
in suitable settings jBKPSl lK53l iKSllLO] . 

The elements of a black box group G are assumed to be encoded by 0-1 strings 
of uniform length, and G is specified as G = (S) for some set S of elements of G. 
Our main result is as follows (where e is 1 in general and 3 for ^D^q)): 

Theorem 1.1. There is a Las Vegas algorithm which, when given a black box group 
G = (S) isomorphic to a perfect central extension of a simple exceptional group of 
Lie type of (twisted) rank > 1 and given field size q, other than any 2 Fi(q), finds 
the following: 

(i) The name of the simple group of Lie type to which G/Z(G) is isomorphic; and 

(ii) A new set S* generating G, a generating set S of the universal cover G of the 
simple group in (i) and an epimorphism ty : G — > G, specified by the requirement 
that = S*. 

Moreover, the data structures underlying (ii) yield algorithms for each of the following: 

(iii) Given q £ G, find g G G such that g — gty . and a straight-line program of 
lengtftj 0(log q) from S* to g; and 

(iv) Given g £ G, find gty and a straight-line program of length 0(\ogq) from S to 
9- 

In addition, the following all hold. 
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(v) <S* has size 0(\ogq) and contains a generating set for G consisting of root 
elements. 

(vi) The algorithm for (ii) is an 0(£,q e log q + (iq e log 2 q) -time Las Vegas algorithm 
succeeding with probability > 1/2, where /i is an upper bound on the time 
required for each group operation in G, and £ > /i is an upper bound on the 
time requirement per element for the construction of independent, (nearly) 
uniformly distributed random elements of G. 

In additional 0(|<S| log |iS|(£g e logg + fJ,q e log 2 q r )) time it can be verified that 
G is indeed isomorphic to a perfect central extension of the exceptional group 
in (i). 

(vii) The algorithm for (iii) is Las Vegas, running in 0(t;q e log q + [iq e log 2 q) time 
and succeeding with probability > 1/2; while the algorithm for (iv) is determin- 
istic and runs in log q) time. 

(viii) The center of G can be found in O(^ilogq) time. 

Parts (ii-iv) are the requirements for a constructive epimorphism ty:G — > G. 
The verification at the end of (vi) is omitted in some references, since G is assumed 
to be an epimorphic image of a specific group G which, in turn, is isomorphic to 
(a central extension of) an explicitly constructed subgroup Go of G (cf. Proposi- 
tion [2T33J. In practice, it is hard to imagine that this test would be omitted since 
it appears to be the only way to guarantee that the group G behaves as hypothe- 
sized. We note that, in (iv), g S G might be given in standard Bruhat normal form 
but alternatively might merely be given as an automorphism of the associated Lie 
algebra (cf . Remark I2.40|) . It is also worth remarking that we use e = 1 for groups 
of type 2 E 6 (q), since that is the case for its Levi factor SU(6, q) (Theorem 1 1.3|l . 

The above algorithms do not run in polynomial time: the timing in (vi) and (vii) 
have factors q. At present there are no polynomial-time algorithms for the type of 
problem considered here, neither in the black box setting nor even in the matrix 
group one. This was already evident for classical groups in [KST| and, even earlier, 
in [CLGj . A standard way around this obstacle involves a lovely idea in [CoLGj 
(used in [BrKll lBrK2| IBr2| IBr3| ILMOj ): use suitable oracles. The preceding refer- 
ences assume the availability of an oracle that constructively recognizes subgroups 
SL(2, q). This was motivated by |CoLGj . which deals with matrix groups and as- 
sumes the availability of a Discrete Log oracle for F*. In this matrix group setting, 
[CoLGi ILGOj provide a constructive Las Vegas algorithm for a group isomorphic 
to a nontrivial homomorphic image of SL(2, q) in any irreducible representation in 
characteristic dividing q, running in time that is polynomial in the input length, 
assuming the availability of a Discrete Log oracle. In effect, this idea replaces an- 
noying factors q by an oracle. This is discussed further in Section El Remarks SHU 
making it clear that this will not be the last paper on this type of problem! 

A rough outline of the proof of the theorem is given in Section 11.21 The first 
part resembles [KSlj : we find a long root element, then build a subgroup SL(3,<?), 
and also a subgroup Spin^g) when the Lie rank is more than 2. We then use 
pieces of these groups to obtain the centralizer of a subgroup SL(2, q) generated by 
long root groups. However, there is no module to aim for that is as nice as in the 
classical case. Hence, instead we proceed directly to obtain all of the root groups 
corresponding to a root system, and then verify the standard commutator relations 
that define these groups: the corresonding presentation guarantees the Las Vegas 
nature of our algorithm. 
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Our proofs are divided into two parts, with rank > 2 and rank 2 in Sections [2] and 
El respectively. Section |4] contains remarks concerning improvements or variations 
on the theorem and the algorithms. 

In view of |KS2] (and [BrB| ), we obtain the following immediate but significant 
consequence of the above theorem: 

Corollary 1.2. Given a permutation group G < S n with no composition factor 
isomorphic to any group 2 F^{ci) or 2 G2(q), all known nearly linear time Monte 
Carlo algorithms dealing with G can be upgraded to Las Vegas algorithms. 

The stated algorithms find \G\ and a composition series of G, among many other 
things (cf. |Ser| ). In fact, it can be shown that the groups 2 G2{q) do not need to 
be excluded here; see Section [H Remark [7] 

1.1. Background. For background on groups of Lie type we refer to [Call IGLS] . 

For background on required aspects of black box groups, in particular for discussions 
of the parameters £ and /i in the theorem, see |KS11 2.2.2]. Thus, we assume that 
£, > and fi > N if N is the string length of the elements of our black box group 
G. Moreover, N > log \G\ > Clogq for some constant C, since we are dealing with 
exceptional groups of Lie type over ¥ q . 

We note that, as in [KS1, 2.2.4], we presuppose the availability of indepen- 
dent (nearly) uniformly distributed random elements of G, a major result in [Bab] 
( compare jCLMNOI IDTx] ). 

Straight-line programs from S to elements of G — (S) are also defined and dis- 
cussed in [KSil 2.2.5]. For use in [KS2] (or in Corollary OJ , part (iii) of the 
theorem needs the stated straight-line program, not just the preimage g. 

In general the symbol ppd" (p; n) stands for some integer divisible by a prime r 
(a primitive prime divisor) such that r\p n — 1 but r^p 1 — 1 for 1 < i < n (cf. |Zs|). 
The exceptions to this definition are: ppd"(p; 1) with p > 5 a Fermat prime, where 
we require divisibility by 4; ppd"(p; 2) with p a Mersenne prime, where we require 
divisibility by 4; and ppd"(2;6), where we require divisibility by 21. It is easy to 
test this property of an integer for a single ppd"(p;n) requirement ( |NP| p. 578], 
[KS11 Lemma 2.7]), and hence also for a product ppd"(p; n\) ■ ■ -ppd*(p; rife) of a 
bounded number of them (where ri\ < ■■• < rife). In those references, the time 
requirement for such tests is far smaller than other aspects of our algorithms, and 
hence will be ignored. 

Notation: We always write q = p e , where p is the characteristic of G. 

We will usually have available a field F = ¥ q obtained from subgroups of G; and 
also an extension field F' of F of degree 1, 2 or 3. We choose an F p -basis {/i, . . .} 
of F' such that /i = 1 and {/i, • • • , /e} is a basis of F. 

In view of the discussion in |KS11 Sec. 2.3], we will always assume that field 
operations can be carried out in constant time. 

1.2. Outline. A very rough summary of our approach to Theorem II . If ii.vi) is as 
follows (with many details suppressed or ignored). 

• Use random group elements and primitive prime divisors to find r £ G of 
special order, in particular such that some power z = t 1 is a long root element 
(cf. Sections 12.21 12.51 13. 2|) . (In types E-j and E% we need two such elements r 
of different specific orders.) 
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• Find three conjugates of z that generate a subgroup S = SL(3, q) (cf. Sec- 
tions [231 EH GO]), together with a subgroup R = SL(2, q) of S also generated 
by conjugates of z. Much of the algorithm depends heavily on SL(2, q) and 
SL(3,q) subgroups. 

• For rank > 2 use S and a conjugate of z to construct a G-conjugate of R lying 
in L = Cg(R) (cf. Section l2~8l ): this SL(2,q) and variants of the element(s) 
r are used to generate L (cf. Section |2~9| . If the rank is 2 then Cs{R) and r 
generate L (which this time is an SL(2,q e ); cf. Section |3"3| . 

This heavily depends on the uniqueness of the triple {R, S, L) up to conjugacy 
in G. 

• Find a (maximally) split torus T normalizing L and S. Use it to construct root 
systems of L and S with respect to the tori TDL and TOS. Use commutators 
of root groups of S and L to find root groups and a root system <I>g for G (cf. 
Sections COB GO]). 

• The new generating set S* for G contains the union of sets of generators of 
these root groups X a , a € Verify a version of the Steinberg presentation 
[St] for the subgroup Go generated by these subgroups X a (cf. Sections I2.12| 

GO}. 

• Show that each of the given generators for G is in Go, so that Go = G (cf. 
Sections [2H3GS5]). 

1.3. Recognition algorithms used. We will use existing algorithms for construc- 
tive recognition of various black box groups. Since their timing is crucial for us, we 
state the instances and timings in the next result, which refers to the counterparts 
in our Theorem ll.il 

Theorem 1.3. Let G = (S) be a black box group that is isomorphic to a nontrivial 
homomorphic image of SL(2, q), SL(3,<7), Sp(6,q), SU(6,g), Spin^q) or Spin^ (q) . 
Then there are algorithms for the natural analogues of Theorem 1 1 . 1 f ii-iv) . and the 
following hold: 

(i) Theorem ll.lf v) holds; 

(ii) Theorem ll.lf ii) takes O (t;q log q + 1-J.qlog q) Las Vegas time, succeeding with 
probability > 1/2; 

(iii) Thcorcm ll.lf iii) is deterministic and takes O(fiqlogq) time, except in the case 
SU(6,q), where it takes 0(t;q log q + [iqlogq) Las Vegas time, succeeding with 
probability > 1/2; and 

(iv) Theorem ll.lf iv) is deterministic and takes O(filogq) time. 

Proof. This is contained in [KSlj . except that the times in |KS11 6.6.3] contain a 
factor q 3 for the group SU(6, q) (due to the treatment of SU(3, q)), which is avoided 
as follows. 

It is noted in |BrK21 Sec. 5.3] that [KSTI 4.6.3] handles Pn~(6,q) in the stated 
times if modified using ideas in |BrK2j . This readily gives the stated result for 
SU(4, q), which can then be used in [KS1, Sec. 6] for all larger-dimensional unitary 
groups. In particular, this leads to the stated times for SU(6, q). □ 

The above times do not include verification of a presentation of the stated groups 
(cf. Theorem 1 1 . 1 f vi)) : we will deal with that later in the context of of Theorem ll.il 
There are more recent versions of the above theorem that run in polynomial time, 
assuming the availability of suitable oracles |BrKl| IBrK2| lBr2l [Br3l ILMO] , Sec- 
tion^ contains comments concerning possible similar improvements of Theorem ll.il 
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We also note that [Br2, Br3 obtain better times than KS1 by avoiding the recur- 
sive call in the latter reference, but this has little effect on the present paper's focus 
on bounded rank groups. 

Convention 1.4. The proof of Theorem ll.lf vi) uses the Las Vegas portion of 
Theorem ll.3f iii) for SU(6,g) when G has type 2 Ee(q), and the Las Vegas Theo- 
rem [Tjjvi) (more precisely, the Theorem I l.lf iii) portion) for type E7 when G has 
type E$(q); otherwise all of our uses of Theorems 1 1 . 3f iii) and I l.lf iii) are determin- 
istic. In our algorithm we will avoid this "either or" possibility and assume that 
we are always in a deterministic setting when using the aforementioned results. In 
each instance that is actually Las Vegas (of which there are only O(logg)), up to 
20 repetitions of the Las Vegas version can be inserted in order to guarantee that 
the probability of failure is at most 1/2 20 , which is insignificant compared to other 
probabilities of failure that occur elsewhere in our algorithms. 

As in [KSll IKS31 iKSil iBrKll lBrK2l 1571 lBr3] . we will use crude probability 
estimates, making the number of repetitions of calls to previous routines (such as 
those in Theorem 1 1.3f ii)) appear to be unreasonably large. The goal has been to 
prove theorems rather than to obtain best estimates for each type of group. 

As in [KST| IKS31 IK54| IBrKl[lBrK2| lBr2 l lBr3] . our algorithms contain statements 
such as "Choose up to 10-2 12 pairs z', y. . . " . We could instead have used statements 
such as "Choose O(l) pairs z', y. . . "; this would have eliminated some calculations, 
suppressed some very annoying constants, and looked more elegant. However, it is 
not clear how a computer would deal with such an O(l) requirement. By contrast, 
"OfjU log q) time" merely refers to a property of an algorithm. 

2. Groups of rank > 2 

Throughout this section we will assume that 

(2.1) G is the simply connected cover of F^q), E^q), 2 Es(q), E-j(q) or Eg(q). 

Here, G is a known copy of the group in question, as opposed to a black box 
version we will eventually handle. There are only a few cases where G is not also 
the universal cover of G (cf. GLS | p. 313]), and we will always assume that q is large 
enough to avoid these. Thus, G is precisely the group with that name appearing in 
Theorem O 

We will assume the availability of the Lie algebra of G. This will be used in 
Lemma T2.32I (and the Appendix), and in Remark 12.401 



Notation 




$ 


root system for G 


$+ 


the set of positive roots 


A 


a base of $ 


P 


the characteristic of G 


F 


F 9! q= P e 


F' 


¥ qC > , where e' = 1 except for 2 E§(q), where e' = 2 


{/l,---,/e} 


an Fp-basis of F, where fx = 1 


{fl, ■ ■ ■ , fle\ 


an Fp-basis of F' if G is 2 E e (q) 



The rank of G refers to the twisted rank (for example, 2 Es(q) has rank 4). 
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2.1. Properties of G. We will use a standard type of presentation for the simply 
connected cover G of the simple group of Lie type we are considering. This presen- 
tation depends on the root system $ and various integers Cij. a ^, t a p, r\ a ^,A a ^, 
all of which we assume have been precomputed. 

Presentation of the target group. We temporarily exclude groups of type 2 E$. 
The following is just a straightforward, shortened version of the standard Curtis- 
Steinberg-Tits presentation jSt, BGKLP . Use generators X a (fk), a £ <I>, 1 < k < 
e, satisfying the following relations: 

(2.2) Given any t = ^ fc Zkfk € F with < z^ < p, write 

x a (t) :=l[x a (fkr k ; 

k 

(2.3) X a (fk) p = 1 for a 6 $, 1 < k < e; 

(2.4) [X a {fk),X a (fl)} = 1 for a e 1 < k < I < e; and 

(2.5) [X a (fk),X p (M = H X ia+j p(C i<jtatl3 tiff) for a,/? G a # A 

ij>0 1 < fc, Z < e. 

The right hand side of (|2.5j) is viewed as expanded, using (|2.2j) . into an ex- 
pression involving powers of the generators X 1 {f m ) for 7 £ $, 1 < m < e. The 
structure constants Cij ta ^p are integers that are at most 2 in absolute value (since 
we have rank > 2), and are given in [Calj Section 5.2]. The non- uniqueness of this 
presentation is discussed at length in [Call p. 58]. 

The right side of (|2.5p has at most one nontrivial term when there is only one 
root length (i.e., for types Eq,E-[,E%). In this case, there is a nontrivial term 
X a +p(Ci t 2,a,p fkfi) precisely when a + fi 6 A more precise version of f|2.5|) for 
groups of type F4 is in the paragraph following (12.61) . 

The above relations provide a presentation for the simply connected cover G. 
An algorithm for finding the center of this group is given in [Call p. 198] using 
elementary linear algebra; every element of Z(G) is expressed as a word in our 
generators. However, Z(G) can easily be found more directly for the groups studied 
here. 

We will need further relations (|2.9|) - (|2.10[) that are consequences of the preceding 
ones and take into account the action of a split torus on the root groups X a :— 
(XMk) I 1 < k < e). 

The group 2 Eq (q) . This time G is the simply connected central extension of 2 E§ (q) , 
$ is a root system of type F4 and G has generators X a (fk) with a S and 
1 < k < e for a long while 1 < k < 2e for a short. We use the obvious analogues 
of relations (|2.2[) - (|2.4[) . along with the relations 

[X a (fk)Jp(fi)}= for: 

1 a + (3 $ $ 

(2.6) X a+ f)(e a p fkfi) a, f3,a + P all short or all long 
X a+f i[e a fi(fkfi + /fe/0) a >P short, a + (3 long 
X a+f) (e al3 f k fi)X a+2 f){e' al3 fkfifi) a, a + 2/3 long, fi,a + (3 short 
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for all appropriate basis elements fk, fi- The right hand side of (|2.6|) is expanded 
as above. The structure constants e Q ^ and e' a g are ±1, and as before we assume 
that these have been obtained in advance. 

The relations corresponding to (|2.5|) for Fi(q) are just the relations (|2.6|) with 
all field elements in F. In this case, the third relation in (|2.6|) involves a structure 
constant Cij. Qji g that is not or ±1; and this is the only time this occurs for groups 
of rank > 2. 

We assume that the presentations (|2.2[) - (12.51) or (|2.6[) are given as part of the 
data describing the target group G. Eventually we will find elements of our black 
box group satisfying them. 

The above presentations are essential for our algorithms. However, there are 
"variants" [GKKL1, GKKL2] that may be more useful in practice: they only involve 
a bounded number of relations for any q (fewer than 1000 in GKKL1 or 50 in 
[GKKL2] ). 

Additional relations in G; the subgroups and Ng. Following |Gal[ p. 189], 
if a G $ and t G F* let 

(2.7) h a (t) := n a (t)n a (-l), where n a (t) := X^X^^-t-^X^t); 
when G is of type 2 E e and a is short then we also allow t G F'*. Define 

(2.8) T d := (h a (t) | a G t G F*) and N d := (T & , h a (t) | a G A, t G F*); 

in type 2 E§ we again use t G F'* when a is short. If G is an untwisted group then 
is a maximal split torus of order (q — i) rank of G - if Q \ s 2 E 6 (q), then Tq is a 
maximally split torus of order (q — l) 2 (q 2 — l) 2 . Moreover, <\ Nq, and N^/T^, 
is the Weyl group of G. 

If a G $ then X a is the set of all X a (t). The subgroups X a generate G. 

By [Call p. 194], the root groups X a are invariant under conjugation by T^: 

ha^Xp^ha^)^ 1 =Xp(t Aa ^u) except for the next instance 

h a (t)X l3 (u)h Q (t)- 1 =Xp((tt q ) A ''-^ 2 u) in type 2 E & , a short, f3 long, 

where A a> p :— 2(a, /3)/(a, a) for the Killing form ( , ) of the underlying Lie algebra. 
By [Call p. 190] we also have 

(2.10) n a {t)X^{u)n a {t)- 1 = X WaW (r] ai pt- A ^u), 

where w a is the reflection in the Weyl group of G corresponding to the hyperplane 
a^, and — ±1. Thus, each element of the Weyl group permutes the root 
groups Xp by conjugation. 

How elements of G are described. Elements of G are most conveniently given 
in the form unvf, with n G Nq and u, v! in the Sylow p-subgroup (X 7 (t) t G F or 
F', 7 G $+} (Bruhat decomposition [Call Corollary 8.4.4] or [GLSl Theorem 2.3.5]). 
In this paper we do not have a natural module as occurs in the classical group case 
[CFLl IKST1 iBrll IBT21 IBr3l IBrKTl IBrK2l ILMO] . However, an element of G could 
merely be given as an automorphism of the associated Lie algebra. See Remark [2.40l 
for further discussion. 

Root groups and root elements. The G-conjugates of the X a are called root 
groups: a long root group if a is long and a short root group if a is short. In case 
all roots have equal length we call all root groups "long" . Context will determine 
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whether a discussion of long root groups will only be concerned with ones of the 
form X a rather than arbitrary conjugates of these. 

Nontrivial elements of long root groups are called long root elements. Each long 
root element is in a uniquely determined long root group. 

The following standard result is in |Cool Lemma 2.2]. 

Lemma 2.11. For long root groups Xi,X 2 , ofG, one of the following holds: 

(i) [X 1 ,X 2 ] = 1, 

(ii) |(Xi.X2}| = q 3 and [X\, X 2 ] = Z((Xi, X 2 )) is a long root group, or 
(hi) (X 1 ,X 2 ) *SL(2,q). 

Two long root groups are opposite if they generate a subgroup isomorphic to 
SL(2, q), called a long SL(2,g). Short SL(2,g)'s are defined similarly when there 
are two root lengths. Two long root elements are opposite if they lie in opposite 
long root groups. Note that, when q is even, two opposite long root elements will 
merely generate a dihedral group. The preceding lemma provides a simple way to 
test whether or not two long root elements are opposite: 

(2.12) Long root elements a,b are opposite if and only if [[a,b],a] =/= 1. 

The group R, the highest root v and the root v' . Let 

(2.13) R := (X U ,X- U ) = SL(2,g), where v is the highest root o/$. 

Then v is a long root, A U { — v} is the set of roots in the extended Dynkin diagram 
of G [TTLS1 p. 10], and 

(2.14) There is a unique long root v' £ A not orthogonal to —v. 

Moreover, A^ := A fl is a base of the subroot system <£>^ it generates, and 
A = A t U W). 

The subgroups L and Q. Define 

L := (X a | a G $i) and Q := (X a a £ $ + \ $^). 
If 1 7^ z G X v then Cg(z) = QxL = Cq(X v ). The groups L and Q are as follows: 



(2.15) 



G 




E 6 (q) 


2 Mq) 


E 7 (q) 


E 8 (q) 


L 


Sp(6,g) 


SL(6,g) 


SU(6,q) 


Spin + 2 (?) 


E 7 (q) 


Q 


Q 1 + 14 b 


qi+20 


q 1+w 


q l+32 


q l+56 




q 3 + l 




q 6 ~l 


q 6 - 1 
q 8 - 1 


q*-l 
9-1 

q 9 + l 










q 2 -l 


q 2 -q + l 



where E r (q) denotes the simply connected cover of E r (q), and Z(Q) = X v except 
where b indicates that this does not hold for F^q) when q is even (cf. Lemma 
I2.18f iv)). We have also listed the orders of some cyclic maximal tori of L 
containing Z(G) that will be used in Section l2~2l The orders in the Es case come 
from [DFj T 30 and T 24 in Table III].) 
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Note that QL is the derived subgroup of a parabolic subgroup Nq(X v ) for which 
the unipotent radical is Q and the derived group of a Levi factor is L. Also, 

(2.16) Z(G) < Gq(R) — L, and normalizes both R and L. 
Define 

(2.17) T L := (h a (t) | a £ $ t , t 6 F*) and N t := {T t ,n a (t) aeA £ , t G F*) 

with n a (i) in (|2.7[) : in type 2 Eq, as in (|2.8[) use i € F'* when a is short, so that 
L = SU(6, q) and \T^\ = (q — l)(q 2 — l) 2 . In each case, is a maximal torus of L, 
T L < T 6 , N L < N d and N^/T^ is the Weyl group of L. 
Let Z := X^. 

Lemma 2.18. \CKS[ pp. 16-18] 

(i) For every root v ^ a G $ + \ i/iere is a unique root j3 G $ + \ smc/i t/iai 
a + (3 = v. 

(ii) // G is not F4 (q) with q even, then for each root group X a ^ Z in Q there is 
a unique root group Xp in Q that does not commute with X a {and then a and 
ft have the same length). 

(iii) // G is Fi (q) with q even, then for each long root group X a ^ Z in Q there 
is a unique long root group Xp in Q that does not commute with X a . 

(iv) If G is F^q) with q even, then Z(Q) = (Z,X a \ a short) has order q 1 and is 
the standard module for L = £1(7, q). 

This follows from the commutator relations, which also provide more informa- 
tion in the situation of this lemma: Q/[Q, Q] is an F-space of dimension 14, 20, 20, 
32 and 56 in the respective cases (|2.1[) ; and it is an irreducible FL- module except 
when q is even and G = F 4 (q) (producing the b in (|2.15p ). in which case Q/[Q, Q] 
has an irreducible 6-dimensional FL-submodule modulo which it is irreducible (Sec- 
tion [2T4] has computations based on this fact). 

Long subgroups. We call any subgroup generated by (conjugates of) long root 
groups a long subgroup. We will especially emphasize long subgroups such as R, 
L, long SL(3, g)-subgroups such as S in (|2.19|) below, and long subgroups Sphig (q) 
such as J in Lemma T2.23I below. 

The long subgroup S = SL(3, q). Let 

(2.19) S = (X V ,X- U ,X V ,,X- V ,) ^ SL(3,(j), T § = T d C\S and N § = N d n S. 
The following are straightforward to check: 

Lemma 2.20. (i) normalizes S. 

(ii) N 6 = (N s ,N t ). 

(iii) If q > 2 then — (Tg,T^) and N^/Tq is the Weyl group of G. 

(iv) Ifq > 3 then N L = N £ (T £ ), N § = N § (T § ) and N G = N d (T d ). 

Lemma 2.21. Let S± be a long subgroup of G isomorphic to SL(3,(j). Then 

(i) S*i is conjugate to S, 

(ii) If Li £ L G centralizes a long SL(2,g) subgroup of Si, then the pair (S\,L\) is 
conjugate in G to (S, L), and 

(iii) If Si contains X v then O p (C ^(Xj,)) < Q. 
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Proof, (i) See [Coo] or [LS] . 

(ii) S is transitive on its long SL(2,q) subgroups. 

(iii) Since the pair (S^Xj,) is conjugate in G to (S, X v ), we may assume that 
S t = S. Then O p (C § (X„)) = X V ,X V X V _ V , < Q. □ 

Lemma 2.22. G acts transitively by conjugation on the set of all A-tuples 
(Li, §i, , T§ ) with Li G L G , C ( j(L 1 )' < 5i £ S* , and and Tg maximally 

split tori of Li and Si, respectively, containing SiHLi. 

Moreover, L and S PI L uniquely determine S . Finally, if q > 3 then T := 
T£ Tg is a maximally split torus of G, and N/T = W, where N — N^T) = 

Proof. The preceding lemma already handles the pairs (Li,Si). Consider our 
subgroups L, S and the 1-dimensional torus A := S n L. Since Cq(A) is reductive, 
all of its maximally split tori are conjugate and contain A. Since = L n Tq, this 
handles the triples (Li, Si, T^). 

Clearly L > C L (A) = G d (AR) > C d {S), where C & (S) is generated by Z(G) 
and long root groups. If M is the subgroup of Cl{A) generated by its long root 
groups, examining (Kail ICoo| ILS ] we find that MZ(G) = C^(S). Thus, L and A 
determine S = C & (M)' . (In fact, C & {M)' = C & {M) using [LSSl Table 5.1].) 

All maximal split tori of S containing A are i?-conjugate (as is seen by using a 
basis of the 3-space underlying S with respect to which A = Cg(R) consists of all 
matrices diag(A, A, A~ 2 )). Since R normalizes L, S and T^, this proves the stated 
transitivity. 

The final statements follow from Lemma [2.201 □ 
The long subgroups J = Spin^~(g). 

Lemma 2.23. There are long subgroups J = Spin^T^) containing S. 

Proof. Each group G has a long subgroup F^(q) containing S. Then it suffices to 
consider the case G = F 4 (q), where there is a root subsystem subgroup Spin g (g) 
containing a conjugate of S that lies in a subgroup Spiling). □ 

2.2. Primitive prime divisors. When the rank is > 2, we will always assume 
that q > 9 in order to avoid difficulties occurring in the next lemma for small fields. 
Remark Q] in Section @] discusses some of the omitted q. 

Lemma 2.24. Let pi be as follows for the indicated types of G: 



p 


ppd'(p; 2e)ppd'(p; 6e) 


F 4 


p 


ppd"(p; 2e)ppd'(p; 3e)ppd*(p; 6e) 


E 6 


p 


ppd"(p; e)ppd"(p; 3e)ppd"(p; 6e) 




< p 


ppd'(p; e)ppd"(p; 2e)ppd"(p; 3e)ppd'(p; 6e) 


E 7 


p 


ppd tt (p; 4e)ppd B (p; 8e) 


E 7 


p 


ppd^p; 2e)ppd B (p; 4e)ppd*(p; 8e) 


E H 


.p 


ppd"(p; 2e)ppd'(p; 18e) 





Let vj = 737(G) denote the p' -part of \G 
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(i) If t G G has order of the form pi, then r CT is a long root element or G has 
type F4 and r ro is either a long or a short root element. 

(ii) With probability > l/315g, an element r G G has order of the form pi and r ro 
is a long root element. 

Proof. We first construct elements r of the stated orders. In (|2. 15|) we provided 
information concerning the centralizer of both a long root element and of R, a 
long root SL(2, q), together with the orders of one or two maximal tori T* in that 
centralizer. We will choose r G T*R. The integers required in the definition of I 
exist by [Zs] or the definition of ppd" in Section 11.11 
These tori are constructed as follows. 

• In F/±{q) a subgroup Sp(6, q) centralizing a long root group has a cyclic maximal 
torus of order q 3 + 1. 

• In E 6 (q) or 2 E 6 (q) a subgroup SL(6, q) or SU(6, q) centralizing a long root 
group has a cyclic maximal torus of order (q 6 — l)/(q — l) or (q 6 —l)/(q+ 1), 
respectively. 

• In Ej(q) a subgroup Spin^(g') centralizing a long root group contains sub- 
groups GL(6, q) and Sping (q) o Spin7(g), which produce the tori in (|2.15[) . 

• In Eg,(q) a subgroup E-j(q) centralizing a long root group contains subgroups 
of type SL(8, q) (more precisely, its quotient by a central subgroup of order 
(2, q — 1)) and Z q +i ° 2 EQ(q), producing the tori in (|2.15[) . 

(i) By the Borel-Tits Lemma [GLS| Theorem 3.1.3], r lies in a parabolic subgroup 
U^L of G, with U unipotent containing r ro and L a Levi factor containing Z(G). 
Thus, we need to consider the possibility that a p'-element of L of order given in 
the lemma centralizes a nontrivial element of U. 

Examination of the Levi factors that contain elements of order I produces the 
following possibilities: the normalizer of a long root group; a parabolic of type 
q 7 + s : B 3 (q) in F^q) (and then T m is a short root element); a parabolic of type 
^2+6+12. (SL 2 (g) o SL 3 (g 2 )) in 2 E e (q) (and then an element of order I fixes no 
nontrivial element of the unipotent radical) ; a parabolic of type g 7 + 35 : Aq (q) in 
E-j(q) (and then an element of order I fixes no nontrivial element of the unipotent 
radical); and a parabolic of type g 8 + 28 + 56 : Aj{q) in E$(q) (and then an element 
of order / fixes no nontrivial element of the unipotent radical) . Here we used |FJ] 
in the last of these in order to verify the statements about r A ; references such as 
[Shil IShol ICa2j can also be used for other cases. 

(ii) We have C^(r p ) = T* in the previous description of one type of r. Also, we 
have |N£(f,A)|/|f,||£| < |N£(f»):C£(f,)| < 72 for each of the possible tori f 1 *. 

Thus, there are \G: N & (f*R)\ > |G|/72|f*||7?| conjugates of f*R. Even in the 
exceptional ppd" cases (Mersenne primes, Fermat primes and 2 6 — 1 in Section fl.il) . 
each such conjugate has at least |T* |(1 - 1/2) (1 - 1/3) (1- 1/5) (1 - 1/7) = |T*| (8/35) 
elements t p of the required p'-order (since / has at most four ppd-factors) and 
\R\/q elements of order p. Thus, in each case the number of elements r is at least 
(|G|/72)(8/35)(l/q) - |G|/315<z. □ 

The proof shows that the probability is better than stated. First of all, 2 is never 
a primitive prime divisor; and in all but one case there are only two or three ppd- 
factors rather than four. However, for simplicity we will use the estimate l/315q. 
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Notation: If G is of type E7 or Eg , then there are two choices for I in the above 
lemma. We will call these I and Iq. 

Lemma 2.25. Let R\ be a long SL(2, q) contained in L, and let I (or I and lo) be 
as in the preceding lemma. 

(i) If G is not of type E 7 or and if g G L has order I, then L = (R\,g). 

(ii) If G is of type Ej or E$, and if g G L has order I and go G L has order Iq, 
then L = (Ri,g,g ). 

Proof. Let K := (R^) (or (i?< 9 ' 90> ) in (ii)). Since K is normalized by g (and g ), 
as above the resulting ppd-factors of jN^-K")! and the Borel-Tits Lemma imply that 
O p (K) = 1. Using \N 6 (K)\ and the lists in [Kalj [Coo l iLSj . we see that K = L. □ 

2.3. Probability and long root elements. Next we will study the probabilistic 
behavior of some subgroups of G generated by 2, 3 or 4 long root elements or 
groups. We assume that q > 9. Recall that Z = X v . 

Lemma 2.26. If z is a long root element, then a randomly chosen long root element 
z' is opposite z with probability > 1/3. Moreover, with probability > 1/12, for a 
randomly chosen long root element z' either (z, z') = SL(2, q) or p = 2 and (z, z') 
is dihedral of order 2ppd"(2e,p). 

Proof. We may assume that z G Z. The unipotent radical Q = O p (C ( j(Z)) acts 
regularly on the set of root groups opposite Z. Then the total number of long root 
elements opposite z is (q — l)\Q\, while the total number of long root elements is 
\G : Cg(z)\. Hence, the desired probability is the ratio of these integers, and it is 
straightforward to check the lower bound 1/3 in all cases. 

Each opposite pair z,z' lies in a unique long SL(2,<7). Two elements of order 
p in that SL(2,g) generate the required type of subgroup with probability > 1/4 
[KSU Lemma 3.8(iii)]. □ 

We next turn to generating the long root subgroups S = SL(3, q) and J = 
Sping~(<7) appearing in (|2. 19|1 and Lemma \2. 231 Let R be as in (|2. 13(1 . 

Let n(5, R) denote the number of conjugates of S containing R, and n( J, S) 
the number of conjugates of J containing S. All members of R G lying in S are 
S- conjugate, and all members of S lying in J are J-conjugate. Therefore, the 
numbers n(X,Y), (X, Y) = (S,R) or (J,S), can be obtained from Tables Q] and [2] 
by simplifying the obvious formula to 

|N 6 (Y)||X| 



n(X,Y) 



|N 6 (X)||N x (Y)r 



Lemma 2.27. Let R, S and J be as before. 

(i) The probability is at least 1/3 that R, together with a conjugate of Z opposite 
Z, generate a conjugate of S . 

(ii) The probability is at least 1/3 that 5, together with a conjugate of Z, generate 
a conjugate of J. 

Proof. For (X, Y) = (S, R) or (J, S), the desired probability is at least n(X, Y)/3/|Q|, 
where (3 is the number of conjugates Z' of Z inside X that are opposite Z and satisfy 
X = (Y, Z 1 ) (recall that |Q| is the number of G-conjugates of Z opposite Z). From 
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Table 1. Number of root SL(3, q) that contain a given long root SL(2, q) 



G 


n(S,R) 


g-exponent 


G 2 {q) 


q(q + 1) 
2 


2 


3 D4(q) 


q 3 (q 3 + 1) 
2 


6 


FM 


q 6 (q 3 + 1)^-1) 
2(9-1) 


12 


E 6 (q) 


q 9 (q 3 + l)(q 2 + l)(q 5 -l) 
2(9-1) 


18 


2 E e (q) 


q 9 (q + l)(q 3 + l)(q 5 + l) 
2 


18 


E 7 (q) 


q 15 (q 3 + l){q 5 + l)(q 8 -l) 


30 


2(9-1) 


E s (q) 


9 27 (9 9 + l)(9 5 + l)(9 14 -l) 


54 


2(9-1) 



Table 2. Number of root Spin 8 (q) that contain a given long root SL(3,q) 



G 


n(J, S) 


g-exponent 


Fi{q) 


q 3 (q 3 - 1) 
2 


6 


E 6 (q) 


q 6 (q 3 - l) 2 
2 


12 


2 E 6 (q) 


9 6 (9 3 + l) 2 
2 


12 


E 7 (q) 


g 12 (g 6 _ 1)(g 5 _ 1)(g3 _ 1} 


24 


2(9 2 " 1) 


Es(q) 


g 24 (g 12 -l)(g 9 -l)(g 5 -l) 


48 


2(9 2 - 1) 



TablesQ]and[2]we obtain n(S, R)/\Q\ > 4<r 3 /9 and n(J,S)/\Q\ > <T 9 (1 -<T 3 ) 2 /2. 
It remains to estimate /3 in our two cases. 

(i) Let V be the natural module for S = SL(3,g). Then V = [V,.R] © C V (R), 
and the only maximal overgroups of R in S 1 are the parabolics Ns([V, i?]) and 
Ng(Cv(R)). If < S is a conjugate of Z opposite Z, then [V, R] ^ Cy(Z') and 
Cy(i?) ^ [V,Z']. 
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Thus, if also S > (R, Z'), then either [V, R] > [V, Z'\ or Cy(i?) < C V (Z'). There 
are at most 2q 2 such Z' out of the q 3 opposite Z. Thus f3 > q 3 — 2q 2 , and the desired 
probability is at least (Aq~ 3 /Q)(q 3 - 2q 2 ) > 1/3. 

(ii) Let V be the natural 8-dimensional module for f2~(8, q); we will view all 
subgroups of J as subgroups of Q~(8,q). Then S splits V as V = V 6 + _L ■ Long 
root groups Z' correspond to totally singular 2-spaces T of V via T = [V, Z'\ . If 
V = (T, Vg+) then T 1 - n F 2 ~ = (as otherwise T and Vg + would lie in a 7-space). 
Consequently, (S, Z') is an irreducible subgroup of J generated by long root groups 
and hence is J |Kal[ ILSj . 

Thus, we only need to estimate the number of totally singular 2-spaces not 
spanning V together with Vg . Each such 2-space contains a point of Vg '. Since 
Vg + has (q 2 + q + 1) (q 2 + 1) singular points, and each is contained in (q 3 + l)(q+ 1) 
totally singular 2-spaces, there are at most (q 2 + q + l)(q 2 + 1)(<Z 3 + l)(q + i) < 3q s 
totally singular 2-spaces meeting V 6 + (as q > 9). There are q 9 long root groups in 
J opposite Z. It follows that /? > q 9 — 3q s , so that the desired probability is at 
least (q 9 -3q s )-q- 9 {l-q- 3 ) 2 /2> 1/3. □ 

We will need variations on the previous arguments: 

Lemma 2.28. (i) Suppose that D is a subgroup generated by opposite long root 
elements z,z' such that either D = SL(2, q) or q is even and D is dihedral of 
order 2ppd"(2e, 2). Then the probability is at least 1/4 that D, together with a 
conjugate y of z opposite z, generate a conjugate of S . 
(ii) The probability is at least 1/3 that C§(R) — S (~l L and a random conjugate 
S, I £ L, generate a G-conjugate of J having an element normalizing R and 
conjugating C§(R) into S . 

Proof, (i) By Lemma r2.27( i). with probability at least 1/3 the three root groups 
containing z, z' or y generate a conjugate of S. Thus, we only need a lower bound 
on the conditional probability that S = (D,y) for a root element y € S opposite z. 

In view of the structure of D, the only maximal overgroups of D in S are 
N§([V,D]) and N^(Cy(£>)) (compare [KST| Lemma 3.7]). Define (3 as at the start 
of the proof of Lemma \2. 2 71 Then at least /3(q — 1) of the q 3 (q — 1) root elements 
in S opposite z generate S together with £>, so that the desired probability is at 
least (l/3)j9(g - l)/q 3 {q - 1) > (q 3 - 2q 2 )/3q 3 > 1/4. 

(ii) Somewhat as in Lemma l2.27f ii). 

(2.29) S and S generate a long Spin^~(q) subgroup with probability > 1/4. 

For, the number of "good" conjugates S l such that (S, S l ) 6 J G is n(J, S)-j, where 
n(J, S) is in Tableland 7 is the number of good S l per J-conjugate containing S. 
On the other hand, \S L \ is just the number n(S,R) of conjugates of S containing 
R (by Lemma f2.21|) . Thus, the desired probability is n(J, S)j/n(S, R). We will 
provide a lower bound for 7, from which (|2.29j) will follow using Tables Q] and [2] 

For this purpose, we restrict our attention to the 8-space V associated with J. 
As for the preceding lemma, S is good if (and only if) (S, S l ) is irreducible on V. 

If Vg := [V", S] then Vg + = U3 (B for totally singular S- invariant 3-spaces 
1/3,1/3. Also, [V,R] is a nondegenerate 4-space of type + meeting U3, at 2- 
spaces 1/2,1/2, respectively. 
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Since I centralizes R, the totally singular 3-spaces U^,U£ l meet [V,R] in totally 
singular 2-spaces U2 := U%, {/| : — U$ , lying in the same "half" of the set of totally 
singular 2-spaces of [V,R] as U2,U£ (this "half" consists of q + 1 totally singular 

2- spaces pairwise meeting in 0, all of which are R- invariant); there are (q+l)q such 
ordered pairs U 2 , U£ 01 distinct 2-spaces. Each of the subspaces U\, U£ l meets the 
4~-space [V, R] 1 - = (U2, U£)~ L m a singular point; there are (q 2 + l)q 2 ordered pairs 
Pi , P2 of distinct singular points in \V 1 R] . Each such ordered pairs of 2-spaces 
and of points determine a unique ordered pair (U2,Pi), {U£,P2) of totally singular 

3- spaces left invariant by a conjugate S , and each S arises this way exactly twice 
(twice because the ordered pairs XJ%, U£ and pi,P2 determine the same conjugate 
of S as the ordered pairs U£, U2 and p2,Pi)- Of the pairs pi,P2 of singular points, 
q 2 — 1 points p\ do not lie in Vg and at least q 2 — 1 — (q — 1) points P2 do not 
lie in (V 6 + ,pi}, in which case V = {V 6 + , Pl ,p 2 ) = (U 3 ,U£ ,U^U; 1 ) and (S,S l ) is 
irreducible. Thus, 2 7 > (q+l)q-(q 2 - l)(q 2 - q). Now Tables Q] and H yield (j2~29| . 

Let A := S P\ L. It remains to show that (S , A) = J, I £ L, assuming that 
(S,S l ) = J. Instead of this it will be more convenient to show that (S,A l ) = J, 
I G L, assuming that (S, S 1 } = J . 

If {S, A 1 } is irreducible on V then so is (S^ 5 '^}, and then both of these groups are 
J using [KalULSj . Moreover, S and S l are long SL(3, g)-subgroups of J containing 
R, and hence are conjugate under N j(R) (cf. Lemma r2.21f ii)V Then A l i < 5' J = S 
for some j G N j(R), as required in (ii). 

We will assume that (S, A 1 ) is reducible and obtain a contradiction. A generator 
of A 1 = Cgi(R) acts on V by centralizing a 2 "-space (hence with eigenvalue 1 
there) while acting on V 6 +/ with two invariant totally singular 3-spaces U^,U£ l and 
eigenvalues on them of the form A, A, A~ 2 and A -1 , A -1 , A 2 , respectively, where A 
has order q — 1. In particular, G v +i(A l ) = since q > 3, so that Cv(A l ) has no 

singular points. Thus, the only totally singular 3-spaces left invariant by A 1 are 
contained in Vg . 

Any proper (S, ^4 z )-invariant subspace W of smallest dimension must be totally 
singular or nondegenerate. Clearly S and A 1 have no fixed common nonzero vector 
since Cv(S l ) = Cv(A l ) and J = (S, S l ). Thus, W is U 3 or U£, and yet we have seen 
that it must be contained in V^K Then the 6-spaces Vg + = [V, S] and V^ 1 = [V, A 1 } 
both contain both W and the 4 + -space [V, R], and those span at least a 5-space. 
Thus, ([V,S],[V,S 1 ]) = ([V,S],[V,A 1 ]) < V and {S,S l ) is reducible. This is the 
desired contradiction. □ 

2.4. Start of the proof of Theorem II. 1L We are given a black box group G 
that is a nontrivial epimorphic image of the universal cover G of an exceptional 
group of Lie type of rank > 2 over a field of order q > 9. Therefore G is the simply 
connected cover [GLS| p. 313]. We start by using the Monte Carlo algorithm in 
BKPS; in order to (probably) find the type of group we are dealing with. Similarly, 
every time we call an existing constructive recognition algorithm in Theorem 11.31 
we assume that [BKPS] has first been used in order to make it likely that we are 
testing a group having the desired structure: the algorithm in [BKPS] is far faster 
than any constructive recognition algorithm (such as Theorem II .3j) . although these 
checks are not necessary for the proof of Theorem 11.11 
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Eventually we will test that the group is, indeed, as expected: in Proposition ^. 33l 
and Corollary 12.421 we will verify a presentation (|2.2j) - (|2.5p or (|2.6p for G. Such a 
presentation is also crucial for uses of Theorem II .H such as those in [KS2, LG . 

2.5. Finding a long root element. Choose up to 3150g elements tgG until one 
is found such that |r| = pi for I in Lemma \2. 241 When we obtain r of the desired 
sort, Lemma r2.24f i) states that z := r ro is a long root element, or possibly a short 
one when G has type F4. For the latter groups we proceed somewhat differently. 

Suppose that G has type F4. If q is even then the graph automorphism sends 
short root elements to long ones, so we may assume that z is long. If q is odd 
then we run the algorithm up to 3200(7 times, from finding r until the group L is 
constructed and tested at the start of Section 12.91 (specifically: we find r and then 
find and test z', y, S, S2, Z\, J and L). 

Remark 2.30. Correctness: There is no subgroup of F^q), q odd, generated by 
short root elements and isomorphic to Sp(6, q). For, F±{q) has exactly 2 classes 
of involutions, with centralizers Spin 9 (g) and (SL(2, q) o Sp(6, q)j -2 (for a long 
SL(2, q)) |Sho) : only the latter type has a subgroup Sp(6, q), and the long root 
groups in Sp(6, q) are also long for G. Thus, if we obtain a subgroup L = Sp(6,(j) 
then z is a long root element. 

There are other ways to handle this odd case. For example, the group generated 
by 4 conjugates of a long root element is isomorphic to Sphig~(q) with probability 
> 1/16, but the same is not true for short root elements, once again using the 
nature of the centralizers noted above of the 2 classes of involutions. In Section [4j 
Remark HI this ambiguity is avoided using an entirely different approach that finds 
the involution in R and then its centralizer in G. 

For the cases E*i{q) and E$(q) there are two possibilities 1,Iq in Lemma [2. 241 and 
hence we also find a second element To of order pig. Then zq :— r ro is a long root 
element. 

Reliability: > 1 — 1/2 9 for r and To in all but the exceptional F4 case. For, all 
r fail to have the required order with probability < (1 — l/315q) 3150<? < 1/2 10 , by 
Lemma 12.241 

In the exceptional F4 case, for a given choice r, if z is a long root element then 
we will succeed at showing this and finding the needed elements and subgroups with 
probability > 1 — 1/2 8 (in view of the individual probabilities in the next sections). 
Hence, we will succeed for a given r with probability > (l/315g)(l — 1/2 8 ) > l/320g. 
All 3200g repetitions fail with probability < (1 - l/320g) 320 ° 9 < 1/2 10 . 

Time: 0(q[$, + /i log 2 q]) to choose elements t (and tq) and to test the order of each 
of them using [KS1I Lemma 2.7]; but O^glogg + ziqlog 2 ^ if the F4 test is needed. 

2.6. Matching up root elements. For the cases E-j(q) and E%(q) we have two 
elements r and To, and we have powers z and zq of them that are long root elements. 
We need to arrange to have (z) = (zq). 

Repeat up to 240 times: choose a conjugate z\ of zq, test whether z and z\ are 
opposite; and for odd q use Theorem 1 1.3( ii) to test whether (z, z±) = SL(2, q), and, 
if so, to obtain a constructive isomorphism SL(2, q) — > (z, z\). If p — 2 then (z, z\) 
is dihedral of order dividing 2(q ± 1). 

For each q it is now easy to conjugate (z) to (zi) and hence to (z ). 
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Thus, we can conjugate tq in order to arrange that (z) = (r ro ) = (t^) = (zo) 
(recall that w denotes the p'-part of \G\). 

Reliability: > 1 — 1/2 10 . For, by Lemma [2.261 z\ is opposite z with probability 
> 1/3, and we use (|2.12l) to test this. If this occurs and q is even then we are merely 
conjugating within a dihedral group. 

If q is odd then (z, Zi) = SL(2,q) with probability > 1/12 (by Lemma [2T26J) , in 
which event Theorem 1 1 . 31 succeeds with probability > 1/2. Thus, all 240 repetitions 
fail with probability < (1 - 1/24) 240 < 1/2 10 . 

Time: 0($,q\ogq + nq\og 2 q), dominated by the time to find the constructive iso- 
morphism. 

2.7. The subgroups R, Z, Z~ and S. Choose up to 10 ■ 2 12 pairs z',y of con- 
jugates of z, and use (|2.12j) and Theorem ll.3f ii) in order to test whether both 
are opposite z and S :— (z,z',y) and 5*2 := {z,z' T ,y) are both isomorphic to 
S = SL(3,q); and, if so, to find constructive isomorphisms ^s-S —> S and 
1 &s 2 '- 5* — > 5*2, together with generating sets S§ and S s of S and S, respectively, 
such that Sg^s = S s . We may assume that S is the subgroup of G defined in 
(|2.19l) ; we will use the notation in (|2 . 13[) . 

Find R := M s < S, Z := X V V S and Z~ := X_ v ^ s using Theorem 0(iv) . 
Then R= (Z,Z-) = SL(2, q). 

Conjugate within S in order to have z £ Z and z' € Z~ . Then t p centralizes Z 
since it centralizes z£Z. Find the root group Y < S containing y. 

Use ^s 2 to find an element of O p (Cs 2 (Z)) conjugating (Z~) T to Y (recall that Z 
and Y are opposite), and use to find an element of O p (Cs(Z)) conjugating Y to 
Z~ . The product of these two elements is an element c G O p (C S2 (Z)^O p (Cs(Z)^j C 
Q := O p (C G (Z)) such that (Z-) T " C = Z~ (cf. Lemma [^^iii) ; of course we do 
not yet have Q to work with). Then t p c and t p are elements of Cg(Z) that agree 
mod Q, so that I divides the order of t p c. Moreover, t p c normalizes Z~ while 
centralizing Z . 

Thus, t p c centralizes R and has order divisible by I. 

Recall from the preceding section that Z contains (z) = (zq) when G is of type 
Ei or Eg. In that case we have a second element To, and we obtain in the same 
way a second element t^cq of Cq{R), this time of order divisible by Iq. 

Reliability: > 1 — 1/2 9 . For, both members of a pair z',y are opposite z, with 
z' behaving as in the second part of Lemma \2. 261 and S, S2 — SL(3, q), with prob- 
ability > (l/12)(l/3)(l/4) 2 > 1/2 10 (by Lemmas EH] and E2H]T)); in which case 
Theorem II. 3f ii) succeeds for both S and ^2 with probability > (1/2) 2 . Hence, all 
10 -2 12 repetitions fail with probability < (1 - 1/2 12 ) 10 212 < 1/2 10 . The probability 
involved in repeating the above for To, if needed, is dealt with similarly. 

Time: 0(£,q\ogq + [iqlog 2 q), dominated by finding VPg and $s 2 using Theorem 

Oiii. 

2.8. The long subgroups J and R\. Repeat up to 30 times: choose a conjugate 
Z\ of Z, and use Theorem ll.3( ii) in order to test whether J := (S, Z\) = Spin^(q); 
and, if so, to obtain a constructive isomorphism ^ j : Spin^" (q) — > J. 

Find a long SL(2, g)-subgroup R\ < Cj(R) using tyj. Obtaining this long 
SL(2, q) is the only use we have for J and ^j. 
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Reliability: > 1 - 1/2 10 using Lemma f2T27T ii). 

Time: 0(^q\ogq + /j>qlog 2 q), dominated by finding tyj using Theorem ll.3f iiV 

2.9. The subgroups L, T and N. Let L := (Ri,t p c) or (R-y, t p c, t£c ) in the 
cases F4, E 6 , 2 E 6 or E7, E s , respectively. The generators of L lie in in Cq(R) (cf. 
Section [2J]). Hence, L = C G {R) by Lemma l2~25l 

The subgroups S and L behave as in Lemma I2.21f ii) , and hence the pair S, L 
is uniquely determined up to conjugacy in G. In particular, we can use the infor- 
mation in Section POl to study G by means of constructive isomorphisms for these 
subgroups. Note, however, that these isomorphisms might not match up properly, 
which will make us (possibly) have to modify the pair (5, L) in Lemma 12.321 

Use up to 10 repetitions of Theorem II .3f ii). or recursion if G = E%{q), in order 
to find generating sets 5£ of L and Sl of L and an isomorphism l : L — > L such 
that S L ^ L = 52. Also find the following subgroups of G using ([2~T7| and ([2T9]) : 

T L := T £ * L , T s := T s * s , N L := N t * L and N s := N S * S - 

(Recall that we already have a generating set S s of S.) We will often use the fact 
that and ^l are isomorphisms even though the target epimorphism = 
may not be bijective. In particular, always produces a unique element of G. 

Reliability: > 1 - 1/2 10 . 

Time: 0(^qlogq + [iqlog 2 q), dominated by finding ^l- 

Remark 2.31. A version of the presentation (|2.2|) — (|2.5[) or (12.61) is used for L as 
part of Theorem ll.3f ii) . Conceivably this is not a subpresentation of the presen- 
tation (|2.2[) - (|2.5|) or (|2.6|) that we are using for G: the signs may not agree. We 
assume that, as part of the recursive call, the signs in the presentation (|2.2j) - (|2.5j) 
or (|2.6[) for L have been changed so as to coincide with the corresponding ones for 
G. Since we are only dealing with presentations of groups of small (bounded) rank, 
there are only a few sign changes required here. 

2.10. Matching up T5 and Tl in order to obtain T. At this point it need 
not be the case that (T$,Ti) is a maximal torus of G. In order to guarantee that 
property we need to arrange for the 1-dimensional torus S PI L of both S and L to 
lie in both of the tori T5 and Tl ■ 

Lemma 2.32. There is an algorithm replacing the pair (S, L) by a conjugate pair in 
order to have S f) L = Ts CiTl- This algorithm is deterministic and runs in 0(fj,q) 
time, except when G is Eg(q), in which case it is Las Vegas, takes 0(^qlogq + 
/iq\og 2 q) time and succeeds with probability > 1 — 1/2 10 . 

Proof. Recall from Section [2771 that S is the subgroup of G defined in (|2.19j) . Since 
R = m s , we can find S <1 L = C S {R) = (C § (R))^ S using Theorem Ow) • Since 
T s normalizes the root groups X V ,X- V of R, T s contains C S (R) (using a basis of 
the 3-space for S as in the proof of Lemma l2~2"2"j) . Thus, S D L = (Cg(R))^ s < 
T^S = T S . 

We will provide two entirely different approaches to the remaining part of the 
proof: arranging to have S PiL < Tl- The first is deterministic (as in the statement 
of the lemma) and simpler for G not of type E$, while the second is more uniform. 
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The timing in the lemma refers to the first method. (For rank 2 groups in Section [3] 
we will use the first method.) 

Method 1. We assume initially that G does not have type Eg. Then L is (es- 
sentially) a classical group (cf. (|2.15p ); let V be its natural module. (It will not 
matter that this module is not faithful when L is a spin group.) 

We have found the (cyclic) group S fl L using S. Find A := (S Pi L)^^ 1 using 
Theorem ll.3f iii) . Diagonalize A on V using a hyperbolic basis that determines 
a maximal split torus T of L containing A. Find I in the classical group L such 
that T l = (this is just a basis change). Find I :— I^l using Theorem ll.3f iv). 
Replace S by S l and T s by T l s . (Correctness: We have S l n L = (SnL) 1 = 
i'~* L < T'"* L = T L V L , where the latter is T L by definition in Section HU Then 
S 1 ' n L = (S n L)' < T l s C\Tj, < S l C\ L since SnL<T s . Therefore, replacing 5 by 
S l and T 5 by T l s gives the desired equality S n L = T s n T L .) 

If G has type £Jg we again find A := (S D i)^^ 1 , using up to 10 recursive calls 
to Theorem 1 1 . If iii. vii) . Then the following are accomplished in the Appendix: find 
the Lie algebra of L = Ef(q), then find a Chevalley basis producing a split torus 
of L containing A, and finally find I £ L conjugating this torus to the torus in 
(|2.17| . Find I :— Z\P l using another recursive call to Theorem ll.il and replace S 
by S l and T s by T l s . (Correctness: Once again S l n L < T L ^ L = T L , and our 
replacement again gives S fl L = Ts l~l T/,.) 

Method 2. Find the subgroup A := (5 n Z,)#l of T £ * L = T L using Theo- 
rem [T^iii). 

Repeat up to 30 times: choose I E L, use Theorem ll.3f a) to test whether 
(S l , A) = SpiiijT (q) and, if so, use the resulting constructive isomorphism SpinjT (q) — > 
(S l ,A) in order to find j € (S l , A) that normalizes R and conjugates A into S . Let 
m-^lj- 1 . Replace S by S m and T s by T™. 

Correctness: There is an epimorphism : G — >■ G extending ^ ^ and hence send- 
ing ^ to i?. Then 5* contains m = R, and A = (S H L)#l = (Sfl L)W = 
S 1 * n = C^(J?) behaves as in Lemma ^TM. ii). 

By that lemma, we may assume that (S l , A) is isomorphic to Spin^T (q) and has 
an element normalizing R and conjugating A into 5 . With m <E Nq(R) as above, 
A < S m n L, so that A = S m n L by Lemma E^ii) since A = D L. Then 
A = (5 n L) m < Tip (by the start of the proof of this lemma), while A < T L by 
definition. Thus, 4<T s m nT L < S™ n L = A. Replacing S by S m and T s by T 7 s n 
gives T S C\T L = SC\L. 

Time: Method 2 requires O^glogg + [iqlog 2 q) time, dominated by the test for 
isomorphism with Spin^g). 

Method 1 uses Theorem l 1 .3l fiii.ivl for and hence runs in 0(ixq log q) time if G 
does not have type Eg. However, in the Eg case it again takes 0(^q\ogq + /iqlog q) 
time since a constructive isomorphism is used in the Appendix. (N.B.-The faster 
O(iiqlogq) time is significant, but it does not influence the overall time for the 
algorithm in Theorem 1 1.11 ) 

Reliability: > 1 - 1/2 10 in Method 2, in view of Lemma ETM ii) and the 30 
repetitions of Theorem |1.3f ii) . The same probability can be obtained in the Eg 
case of Method 1. □ 
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At this point we could also arrange to have ^s\§ n i — ^-tlsnL' but we wm n0 * 
need this. 

The subgroups T, N and W. By Lemmas HH and H32 T := (T S ,T L ) is a 
maximal torus and W := N/T is the Weyl group of G, where iV := (Ns,Nl). 

2.11. The root groups A Q . Associated with 1U there is a root system $ having 
a subsystem corresponding to L. In Section [2 .71 we already used the roots v, v' 
appearing in (|2.13l I2.14j) since S was defined using (|2.19j) . There is a base A l for 
$l such that A := A^ U jV} is a base for <£>. 

We next find the |<I>| root groups X a , a <G <I>. We already have X v — Z and 
X- v = Z~ . Use the isomorphism ^ and Theorem ll.3f iv) to find the T^-invariant 
root groups X a ,a £ <5j,. Conjugate these using AT in order to obtain all |$| < 240 
root groups X a , a G $. 

Time: 0(/i log g) using \&£ (Theorem ll.3( iv)). For, we only need one nontrivial 
root element in one root group X a of each length, an element h a (t) generating the 
corresponding 1-dimensional torus, and a "reflection" rip(l) for each f3 € A^, after 
which we can conjugate using (|2.9I) and (I2.10[) . 

Note also that we only need coset representatives in N of the stabilizer in N 
of the long root v\ this stabilizer is N^T. A similar remark holds for short roots, 
if there are any. There are at most 240 such coset representatives for each type 
of root, and these can be quickly found in 0(1) time using standard permutation 
group algorithms for W [Serl Ch. 4]. Alternatively, it is straightforward to write 
coset representatives as explicit products of fundamental reflections in the Weyl 
group. 

2.12. The epimorphism *:G — !• G . Let G := (X a a e $). We next show 
that Go is an epimorphic image of G. In Corollary 12.421 we will test whether each 
member of the original generating set S of G lies in Go, thereby verifying that Go 
is G. 

The isomorphism \p l lets us "coordinatize" each root group X a ,a £ $l : labeling 
the elements of X a as X a (t), t S F or F', in a manner preserved by the conjugations 
(12.101) for a e $ L and satisfying the relations (|2~l2 ]) -(j2.5 [l or (|2.6p . This was already 
noted in Remark [2.311 We need to coordinatize each root group X ai a e $, in the 
same manner: 

Proposition 2.33. There is a deterministic O (/i log 2 q) -time algorithm that labels 
any given element of any root group X a , a G $, as X a {t) for some t in¥ or F , in 
such a way that the map X a (fk) <— > X a (fk) {for all appropriate a and k) extends 
to an epimorphism ty: G — > Go- Moreover, = ^l- 

Proof. We have G and its presentation, and we have already coordinatized all 
4(A) = t(A)*/,ae*;, 

We also already have the long root v' in (|2.14j) . By (|2.9[) . N^(X V /) centralizes 
L and is transitive on the nontrivial elements of X v i. Hence, we can choose any 
nontrivial element of X v i and label it X u /{1). We now show that all remaining 
labels are uniquely determined. 

Let 5 G Al be the long root not perpendicular to v' . Using (|2.9|) for hs(fk) we 
can correctly label X v '(fk) and hence any given element of X v i. 
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Bv (|2.5|) . we have relations [X a (fk),Xp(fi)] =Xa+p(e<x,pfkfl) in G whenever a 6 
$i, ft and a + ft are long. Each subgroup X a of L has already been coordinatized. 
Starting with all root groups of L together with Xp := X v >, by repeatedly using 
these relations with hats removed we coordinatize all positive long root groups. 
Alternatively, we could achieve this by using (|2.10l) for np(l),/3 G $l. 

We next coordinatize X-„i using a = v — v 1 G ft = —v' together with 
the desired relation [X v / +a (l),X- v /(u)] — X a (e u i+ a -v' u ) in f)2.5f) or (|2.6|) (here 
tv'+ a ,-v' '■— Cy^y+a-vi in (|2.5|l ). First, find an F p -basis for the elementary 
abelian group X— v > (recall that this root group was obtained as a conjugate of 
a root group of L). For each element x in this basis, find its coordinate u via 
[Xu'+a (l),x] = X a (e u) using linear algebra in X a . This produces the 

coordinates of a basis of X- V i and hence of any given element of 

Now coordinatize all negative long root groups as above. 

This leaves us with the groups of type F4 or 2 Eq, where there are also short 
roots to consider. Here we use the last relation in (|2.6p as above in order to 
coordinatize X a+ p whenever a, a + 2(3 are long and ft G + ft are short. 

Namely [X a (l), Xp(fi)] = X Q+(3 (e Q(3 fi)X a+2 fi{e' a pfJf) where we already know 
X a +2p(£' a pfifi)- 

Finally, we verify all of the relations (|2.2[) - (|2.5[) or (|2.6[) . This proves our asser- 
tions concerning both ^ and ^l^. 

This algorithm is deterministic. The stated time includes verifying the relations 
(cf. [KSTI 7.2.2]). □ 

Note that this same commutator method could have been used to produce all of 
the root groups X a , not just to label them. This may, in fact, be more efficient in 
practice. Also note that \1/ extends $ l but not necessarily 

Remark 2.34. We have G = (S*), where S* consists of all of the X a {fk), a G 
Let S consist of the elements X a (fk) of G, so that S^ — S* is the defining property 
of*. 

Corollary 2.35. A random element of Gq can be constructed as a straight-line 
program of length 0(logq) in S in time O(plogq). 

Proof. Let U := JJ X a and U w := JJ X a for each w G W = N d /T d (for a 

a>0 a>0>w(a) 

suitable order of the factors). Also let hg be a generator of hs(¥*) (or of hs(V*) if 
5 is short), for each 5 G A. Then is the direct product of the groups (hs},5 G A. 
For w G W choose n w G such that w = n w T^. 

By |Cal| Corollary 8.4.4] or |GLS| Theorem 2.3.5], every element of G has the 
unique Bruhat normal form unv with u G U,n G N^, w := nT^ G W and v G U w . 

Hence, a random element of G is obtained by choosing w and hence n w , then 
t G and hence n :— n w t, and finally letting u and v be products of randomly 
chosen elements of the relevant root groups. By (|2.2|) . each of the 0(1) root group 
elements appearing in the definition of U or U w is a product of powers of elements 
of S with exponents between and p— 1, hence can be obtained using a straight-line 
program of length 0(log q) from S. Similarly, t — Yl SeA h^ with < a(S) < \h$\, 
and (|2.7p shows that t also can be obtained using a straight-line program of length 
(9(log q) from S. Thus, the required random root group elements and t are obtained 
by randomly choosing w and all of the preceding exponents. 
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Finally, apply ^ in order to obtain a random element of G^> = Go. □ 

Note that this corollary involves the more classical notion of "random" element 
rather than the more subtle version in [Bab (cf. Section In particular, the 

parameter £ is not involved. 

2.13. Effective transitivity of Q. The set Z G of long root groups is far too large 
to be managed effectively using standard permutation group methods (cf. |Ser| ). 
Nevertheless, as in |KS1| IBr2| IBrKl| IBrK2| ILMOj . we need to circumvent this 
difficulty when using the action of Q := (X a | a 6 $ + \ $i) on this set. As in the 
above references, the following effective transitivity of Q will be crucial later (in 
Section \2JM : 

Lemma 2.36. There is an O (£q log q + fiq log 2 q) -time Las Vegas algorithm which, 
with probability > 1 — 1/2 10 , when given long root groups A and B opposite to Z, 
finds the unique element u £ Q such that A u = B . 

Proof. Each long root group opposite Z has the form B v for a unique v E Q. 
Repeat up to 60 times: choose v € Q, test whether S(v) :— (Z,A,B V ) = SL(3,g) 
using Theorem ll.3f ii); if so obtain a constructive isomorphism ^s(v) : SL(3, q) — > Y , 
and finally use ^siu) ancl Theorem ll.3f iii.iv) in order to obtain an element of 
Op(Cs( v )(Z)) conjugating A to B v . Since O p (Gs( v ){Z)) is transitive on A^C]S(v), 
such an element exists, and it is in Q by Lemma l2.21f iii). 

Reliability: > 1- 1/2 10 , since (Z,A,B V ) ^ SL(3,q) with probability > 1/3 by 
Lemma r2.27f i). and Theorem 1 1.3f ii) succeeds with probability > 1/2, so that all 60 
repetitions fail with probability < (1 - 1/6) 60 < 1/2 10 . 

Time: 0(^q\ogq + fj,qlog 2 q), dominated by finding ^s(v)- D 

2.14. Linear algebra in Q/Z. We next address the problem of writing an element 
g 6 Q as a word in the generators X a (t). 

Fix an ordering of the roots for Q, with Z — X v first. (For example, modify the 
ordering in [Call p. 78] so that v is first.) Then each g G Q can be written as a 
product g = n Q e*+\* L X a (t a ) in the chosen order, with each t a £ F or F' written 
as Fp-linear combinations of the given bases of F or F'. We will call this product 
the standard form of g. 

Proposition 2.37. The standard form of any given g G Q can be computed deter- 
ministically in O(filogq) time. 

Proof. We first deal with the case in which G is not F^q) with q even. (The 
omitted case is handled in the following lemma.) We must find the standard form 
J} Qe$+ ^ $i A^^) of g. Let Xj(tj) be the rightmost nontrivial factor in the prod- 
uct. By Lemma [2.18f ii) there is a unique root group Xp in Q that does not commute 
with Xj. Then we can find i 7 using linear algebra in X v : 

[9,X P {1)\ = [X n (t 1 ),Xp{l))= X v {C Ml tJ 

by (|2.5[) and (|2.6p . since Xp commutes with gi := gXy(— i 7 ). 

Now compute gi and repeat 0(1) times. The procedure ends with g e X v = Z 
after we have processed 0(1) roots in <E> + \ (f>L. 

This procedure is deterministic. The time takes into account the need to write 
a given field element C 7i( 3 ; i,ii 7 in terms of the basis vectors fk- 
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The case Fi(q) with q even. Here we will modify the above procedure using 
explicit knowledge of the positive roots of the root system of type F4 together with 
the explicit presentation (j!T2"j) - (j2"T5j) or (j2~B)) . 

Conventions: The roots in our base A are ordered a.\, a 2 , a$, a^, so that the 
high root is v = 2342, where we write a = abed if a = aa± + ba 2 + col?, + da^. 

The positive roots: 

1000, 0100, 0010, 0001, 1100, 0110, 0011, 1110, 0120, 0111, 1120, 1111, 
0121, 1220, 1121, 0122, 1221, 1122, 1231, 1222, 1232, 1242, 1342, 2342 
The roots for Q: those of the form lbcd or 2342. 

The short roots for L: ±0001, ±0011, ±0010, ±0110, ±0111, ±0121. 

The long roots for L: ±0122, ±0120, ±0100. 

The short roots for Q: 1232, 1231, 1221, 1121, 1111, 1110. 

The long roots ^ 2342 for Q: 1341, 1242, 1222, 1122, 1220, 1120, 1100, 1000. 

The above lists of n = 6 or 8 roots in Q are listed so that the zth and (n — i + l)st 
roots sum to the highest root. For example, 1231 + 1111 = 2342 and 1222 + 1120 
= 2342. 

Lemma 2.38. Proposition 12. 371 holds if G is F^q) with q even. 

Proof. We must find the standard form riae*+\*z, X a {tu) of g. As all short root 
groups of Q lie in the center of Q we can move all long root factors of g to the end 
(the right hand side) of the product, and then compute the long root "coordinates" 
as above for the root groups 7^ X v . 

It remains to find the standard form of an element g G Z(Q) = (X2342, -X1232, 
-^1231, AT1221, -X1121, ATim, Xino). We repeatedly use (|2.5|) for these short root 
groups. 

Compute s := [{g,X a (l)],X_ ai (l)}, wherea = 0121. By &E§, s = Xi2 32 (tiiio), 
from which we find tmo- 

Define si := gXn W {tn W ) and compute [s\, X m(t)] = Xi 2 32(£ii2i) in order to 
find tn2i. 

Define s 2 := siXn 2 i(iii2i) and compute [s 2 , X a i 2 \{t)] = Xi 2 32(iini) in order 
to find inn. 

Define s 3 := s 2 Xiiii(tiin) and compute [s 3 , Xoon(£)] = Ai 2 32(£i22i)hi order to 
find £1221- 

Define s 4 := S3X1221 (£1221) and compute [s 4 , X ooi(£)] = Ai 2 32(£i23i) in order 
to find £1231 ■ 

Define s 5 := s 4 Xi 2 3i(£i23i) and compute [s 5 , X_ ooi(£)] = ATi23i(£i232) in order 
to find £1232 ■ 

Finally, compute S5X1232 (£1232) = A 2 342(£2342) € Z = X2342 in order to find 
£2342- 

Once again this procedure is deterministic and the time is clear. □ 

2.15. Straight-line programs; testing that G — Gq. We can now prove parts 
(ii) and (iii) of Theorem 11.11 First of all we may need to slightly increase the set 
S* in Remark 12.341 in order to use recursion. In Section 12.91 we used either Theo- 
rem |TT3jii), or a recursive call when G is Eg,(q), in order to find a new generating 
set SI for L. If necessary, increase S* by adjoining this set, in which case adjoin 
S L = Sl^l 1 to S (cf. RemarkEHJ). Thus, S and S* still have size 0(\ogq) and 
S\& = S*. This takes 0(^q log q) time by Theorem II .3f iii'l. 
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Proposition 2.39. (i) There is a deterministic (/i log q) -time algorithm which, 
when given g £ G, finds gty and a straight-line program of length 0(log q) from 
S to g. 

(ii) There is a deterministic O (/z log q) -time algorithm that finds a generator of 
Z(G). 

(iii) There is an 0(£glogg + fJ.qlog q)-time Las Vegas algorithm which, with prob- 
ability > 1 — 1/2 7 , when given g £ G finds a preimage g^' 1 and a straight-line 
program of length O(logq) from S* to g. 

Proof, (i) We have assumed the availability of the Lie algebra for G and the action 
of G on that algebra. Use |CMTl Theorem 8.1] and [CHMj to write g in the Bruhat 
form unu', with n £ and u, u' in the Sylow p-subgroup (X 7 (/fe) | all appropriate 
k and 7 £ $+). Then use ( ^ -(^3 ]) or QZJfy, together with P~j j) - (|2"3P)) . in order 
to write u, v! and n in terms of straight-line programs from S (EH ICMT| [CHM 
(compare Corollary |2.35p . Apply ty in order to obtain a straight-line program from 
Sty to gty. 

(ii) There is an algorithm in [Call pp. 198-199] for finding Z(G). However, for 
each of the present small number of exceptional groups (|2.1I) one can instead readily 
write down the center of G in terms of the elements h ai (t), and hence in terms of 
the elements X± ai (/fc)> m 0(log q) time (cf. (|2.7[) ). Now the center of G is obtained 
using (i). 

(iii) Use Corollary 12.351 to choose up to 30 elements y £ Go in order to find one 
such that [[z 9y , z],z] ^ 1, so that Z and Z 9y are opposite by (|2~T2]) . 

Find u £ Q such that Z 9VU = Z~ using Lemma r2.361 find a straight-line program 
of length 0(log q) from S* to u using Lemma [2.37l Now gyun v normalizes Z , where 
n v := n v (l) is defined using (12. 7p without the hats. It follows that the desired result 
holds for g if it holds for gyun v . 

Thus, we will replace g by gyun v , so that g normalizes Z . Now Z~ g is opposite 
Z. Again use Lemmas 12. 361 and !2. 371 in order to find u' £ Q such that Z~ gu = Z~ , 
as well as a straight-line program of length O(logg) from S* to u'. Thus, we may 
now assume that g normalizes both Z and Z~ . 

Find h = h v r [t) acting on Z and Z~ in the same manner as g, using (|2. 14|) and 
(|2.9[) . Find a straight-line program of length 0(\ogq) from S* to h^ 1 using |2.7[) . 

Nowgft -1 £ Cg((Z, Z~)) = L (cf. (|2.16|) 1. Find a straight-line program of length 
0(log q) from 5£ to <?ft. _1 using Theorcm ll.3f iii). This produces the desired straight- 
line program to g. 

Reliability: > 1 — 1/2 8 : we obtain y with probability > 1 — 1/2 10 by Lemma \2. 261 
and both calls to Lemma \2 . 361 succeed with probability > 1 — 2/2 10 . (N. B. -Recall 
that we are assuming that Go = G, in which case Corollary 12.351 provides us with 
a random element of G and hence a random conjugate Z 9V of Z. We will test this 
assumption in Corollary 1 2. 42H 

Time: 0(^qlogq + (iqlog 2 q) in (iii), dominated by the time to find the elements u 
and u' using Lemma \2. 361 (N.B.-It also takes 0(/j,q) time to find h.) □ 

Remark 2.40. We have assumed in (i) that our element of G was given either in 
terms of the Bruhat decomposition or as an automorphism of the Lie algebra for G. 
In the latter situation, the input to the algorithm in |CMT| Theorem 8.1] or ,CHM 
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is a linear transformation and the algorithm carries out a form of row reduction 
to get the Bruhat form. This is essential for our use in the Appendix, and nicely 
parallels the classical group situation [KSlj . In fact, ( 'M l ( ' 1 1 \ j] deal with the 
same question for a variety of irreducible representations of G. 

Alternatively, g could just be given as a word in S. This possibility has already 
been considered: in [RH pp. 44-45] and [CMT] there are deterministic algorithms 
which, when given g as a word in S, uses the relations (|2.2p ~ (|2.5[) or (|2.6p . together 
with (|2.9l) - (|2.10p . in order to rewrite g as an element unu' as above. 

In (iii) an element of the black box group G is given as a string, it is not nec- 
essarily given in terms of any available generating set. This is essential for uses of 
Theorem 1 1 . 1 1 such as Corollary II .21 

Remark 2.41. Alternative approach to (i) avoiding [CMT} ICHM| iRi] : Apply the 
algorithm in Proposition ^. 39( 111) to the given element g € G (this uses Lemmas l2.36l 
and EOT] for G). 

Here g might once again merely be known as an automorphism of the associated 
Lie algebra. This routine has the disadvantage of requiring more time and being 
probabilistic; its advantage is that it uses the present paper's relatively standard 
black-box methodology employed in (iii). 

Corollary 2.42. There is an 0(\S\ log |<S|(£glogg + ^qlog 2 q)) -time Las Vegas 
algorithm which, with probability > 1 — 1/2 6 , checks that G — Go. 

Proof. Recall that G is given as (S). In order to prove that '5 is an epimorphism 
we verify that every generator s 6 S lies in Go by applying Proposition 12. 39T iii) to 
each s up to [log |<S|] times. 

Reliability: > 1 — 1/2 6 : the applications of Proposition 12. 39f iii) for a single sg5 
all fail with probability < l/2 71os|51 < 1/(2 6 |5|), so that at least one of our tests 
fails for some s £ S with probability < |<S| • 1/(2 6 |5|). 

Time: 0(|«S| log \S\(^qlogq+/j,qlog 2 q)) using Proposition ^. 39f iii) to obtain straight- 
line programs from S* to each s G S. □ 

The timing in the preceding result differs from |KSll p. 145] since the membership 
test used there is deterministic, unlike our Proposition l2.39T iii) . 

2.16. Proof of Theorem II. II for rank > 2. In Section l2.12l we produced a homo- 
morphism "J : G — > G with image Go- We consider the various parts of Theorem ll.il 

(i) We already used [BKPSj . 

(ii) See Sections EH and EH] 
(iii,iv,vii) See Proposition 12.391 

(v) This follows from Theorem ll.3f i) in view of the new generators X a (fk) we 
introduced in Sections 12. 121 and 12.151 

(vi) The second part is Corollarv l2.42l 

The first part is the content of Sections l2.4H2.12l The probability of success is at 
least 1/2, and the total time is as stated, due to all of the individual probabilities 
and times obtained earlier. 

(viii) Find Z(G) using Proposition ElKii) . an d then find Z(G) = Z(G)W using 
Proposition E39ti). □ 
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3. Rank 2 groups 

We now turn to the groups G2(q) and 3 Di(q). For the most part we will be able 
to mimic and simplify the previous approach. However, there are differences, such 
as the use of a subgroup L that does not contain any long root elements. 

We assume that q > 9 in order to avoid some exceptional situations. In par- 
ticular, we will always have G = G |GLS1 p. 313], where G will be known and 
"concrete" whereas G will be a black box group. 

3.1. Background. In addition to F = ¥ q we need to consider F' = ¥ q e , where e is 
1 for G2(q) and 3 for 3 Di(q). We retain our notation from Section 2, except that 
now F' is F q or ¥ q e and {/i , . . . , /«.} is an F p -basis of F g e . 

Presentation. The groups G 2 (q) and 3 D 4 (q) have a root system $ of type G 2 . 

First consider G = 3 D^{q). We start with generators x a (t), where either a is long 
and t e F, or a is short and teF' = F,3. Define T : F' — > F by T(t) = t + t q + t^. 
Then the Steinberg relations [St] become (|2.2[) - (j2.4[) , where the field elements are 
in F or F' for a long or short, respectively, together with 

[X a (fk),Xp(fl)]= for 

1 a + /3 <£ $ 

X a+f }{e a i3fkfi) a,/3,a + /3 long 

X a+/ 3(e a pT(f k fi)) a,P short, a + (3 long 

X a+ p(e aP (f k ff + ffm)X 2a+ e(r, aP T(f k f k ff))- 

(3 - 1} X a+2p (8 a0 T{f k f q ff)) 

a, j3,a + f3 short, 2a + j3, a + 2/3 long 

^ ~ 2 -s 2 

X a+/3 (e al sf k fi)X2 a+ i3{e' al3 flfl fi)X 3a+/3 (e'^f k f^f^ fi)- 

X3a+2l3(^a/3fkf k f k ff) 

a, a + j3, 2a + (3 short, j3, 3a + /3,3a + 2/3 long 

for all basis elements f k , fi of F or F' (as appropriate). Once again the coefficients 
e Q) 3, ria/s, Sa/3, ^a^i^ajii e 'a/3 are ^ an d depend only on a and (3. Once again the 
right hand sides are viewed as products of powers of generators X^(f m ) for the 
roots 7 appearing on the right side. 

We again use (12.7[) . where t £ F'* when a is short. Then the analogues of (12.9[) 
and (|2.10p hold. For example: 

h a (t)X pliijhaft)^ 1 — Xp(t Aa ^u) except for the next instance 

< ^ 3 ' 2 ' ) h^X^ujKit)- 1 = X fj {{ttni 2 ) A "^^u) a short, (3 long. 

For G 2 (q) we obtain the required presentation by restricting all of the above field 
elements to F. 

We include a sketch of a proof of the second line in (|3.2[) when G = ^D^q). The 
twisted root system for 3 D 4 (q) has a base {a, (3} arising from a base {a±, a 2 , 0^4} 
of a £>4-root system, where f3 — a 2 is the central node and a corresponds to 
{ai,a 3 ,a 4 } . We will follow [Call pp. 233-237]. If u e F and t £ F,3 then Xp(u) = 
X a2 (u) and h a (t) = h ai (t)h a3 (t q )h a4 (t q ). Moreover, 
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h a {t)X p (u)h a (t)- 1 ^ h ai (t)h a2 {t«)h a3 {v 2 )x a2 (u)h ai {tr^K, {t^K, {t" 2 )- 1 

with A ai ta2 = A a3iea2 = A aita2 = e = A ae p/3 for e = ±1, which implies the 
second assertion in (I3.2j) . 

The subgroup S. For both G2(q) and z Di(q) the subgroup S generated by the 
long root groups X a is isomorphic to SL(3,(j). 

The subgroups Q and L. If Z is a long root subgroup of G and 1 ^ z E Z, then 
Cq(z) = Gq{Z) = QxL with Q and L as follows: 



G 


G 2 (q),q^3 a 


G 2 (<z),g = 3 a 


3 ^4(g) 


L 


SL(2,g) 


SL(2,<z) 


SL(2,g 3 ) 


Q 


g l+4 


g l + (2+2) 


g l+8 


f 


Zg_l X 


Zg_l X Z,j_l 


Zg_l X Z g 3_! 






Z,_i 


Z g 3_! 



where we have included the structure of maximal tori T of G and of L. 

Lemma 3.3. (i) W^ii/i probability > l/3g, an element r € G^a) /ias order p- 

ppd"(p;2e); and £/ien r 9+1 is a /on<? or short root element. 
(ii) With probability > l/9g, an element r € 3 Z?4(g) /ias order p ■ ppd"(p; 6e), and 
i/ien t 9 +1 is a long root element. 

Proof. We first construct elements of the indicated orders. There is a central 
product SL(2,F') o SL(2,<jr) of a short root SL(2,F') and a long root SL(2,q), and 
this contains elements of the desired order. As in Lemma 12.241 an element r of 
the stated order lies in a parabolic, hence in a central product as above, and hence 
powers to a root element. 

The probability estimates are obtained as in Lemma 12.241 but are simpler. □ 

Opposite long root elements and root groups are defined as in Section [2. II 

Lemma 3.4. Let z be a long root element. 

(i) HDD holds. 

(ii) Lemma \2. 261 holds. 

(iii) Lemma l2.28f i) holds. 

(iv) All long subgroups isomorphic to SL(3, q) are conjugate. 

(v) If p =/= 3 then three short root elements of G2 (q) never generate a group iso- 
morphic to SL(3,g). 

Proof, (i) This follows from the analogue of Lemma [2.111 

(ii,iii) These are proved exactly as in Section |2~31 (cf. Table [1]). 

(iv) See [033] or [EillKT2] . 

(v) See [KIT]. □ 



Of course, the conclusion in (v) is false for p — 3 due to the graph automorphism 
Of G 2 (q). 
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3.2. Finding a root group Z and the subgroups Z , R and S. As in Sec- 
tion 12. 4[ we now consider a black box group G that is a nontrivial homomorphic 
image of the universal cover G of G^e?) or ^D^q). Since q > 4, G = G jGLSi 
p. 313]. Find the probable type of G using jBKPS] , 

We now imitate parts of Sections 12.51 and 12.71 Choose up to 90q elements r in 
order to find one of order pi = p ■ ppd^ (p; 2ee); for z := r q +1 choose up to 120 pairs 
z', y of conjugates of z; for each pair, test whether both are opposite z and whether 
S := (z,z',y) and S2 '■= (z,z' TP ,y) are both isomorphic to S — SL(3, q); and, if 
so, find constructive isomorphisms ^s'.S — > S and ^s 2 '-S ~> $2, together with 
generating sets S§ and Sg of S and S, respectively, such that S^s = <Sg- 

Find the root groups Z and Z~ in S such that z G Z and z' G Z'. 

Let R := {Z,Z~) = SL(2,g). 

As in Section E3 find c e O p (Cs 2 {Z))O p (C s {Z)) C O p (C G (Z)) such that rP C 
centralizes R and has order divisible by I. 

Correctness: By Lemma l3.3f ii). the element z just constructed is a long root 
element if G is ^D^q). If G is G^g) and p = 3, it makes no difference whether 
we are using long or short root elements, since these are conjugate in AutG, so we 
may assume that z is long. If G is Gi (q) and p ^ 3 then we might have obtained a 
short root element z, but then we will not obtain S = SL(3, q) by Lemma l3.4f v). 

Reliability: > 1 — 1/2 9 . For, a choice r has the correct order and produces 
a long root element with probability > l/9q by Lemma I3.3f i). so that we fail 
to obtain an element r of the desired type with probability < (1 — l/9<7) 9 ° 9 < 
1/2 10 . The tests involving a single choice z' , y, S, S2 all succeed with probability 
> (l/12)(l/3)(l/4) 2 (l/2) 2 > 1/2 12 (by Lemma |33pi,iii) and Theorem OJii)), so 
that the tests for all 120 pairs z', y all fail with probability < (1-1/2 12 ) 120 < 1/2 10 . 

Time: 0{^qe + //g log 2 g) , dominated by finding ^5 and ^52- 

3.3. The subgroups L, T and N. We will use additional subgroups analogous 
to ones in Sections 12.51 12.111 

The group L := (Cs{R), t p c) is a subgroup of Cg(R) = SL(2, g £ ) of order divisible 
by both \C S (R)\ = q - 1 and \t p c\, which is a ppd"(p; 2ee). Then L = C G (R) since 
SL(2,g £ ) has no such proper subgroup for q > 9 [D3 Sec. 260]. 

As in Lemma r2.21f ii), the pair (S, L) is uniquely determined up to conjugacy in G. 

Use Theorem ll.3f ii) up to 10 times in order to obtain a constructive isomorphism 
f L :L -> SL(2,F'). 

Reliability: > 1 - 1/2 10 . 

Time: 0(^|F'| logg + /i|F'| log 2 g) to obtain * L . 

The subgroups Ts, Tl, T and N. First note that G acts transitively by conjuga- 
tion on the set of triples (Si, Ri, T§ ) with a maximal split torus of Si G 5*° nor- 
malizing Ri G i? . Hence G is also transitive on the set of 4-tuples (L\, S±,T^ , Tg ) 
with T§ a maximal split torus of Si normalizing Li = C G (Ri) and centralizing 
a (unique) maximal split torus of Lj (which must therefore contain the torus 
(Ri) — Si H Li). Then T§ is a maximal torus of G and is normal in 
(N §i (T Si ),N Li (T Li )) (compare LemmaH}. 
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With this in mind, use \l/s (and Theorem ll.3f iii.iv)) to find a maximal split torus 
Ts of S normalizing R, Z and Z~ . Then Ts normalizes Cg(R) = L, and hence 
normalizes and so centralizes the unique maximal split torus Tl > S Pi L of L (by 
the preceding paragraph). Find Tl using ^l- (Compare Lemma 12.321 - but here 
we are only working with a 2-dimensional vector space. Moreover, unlike in the 
large rank case, the torus Tl is uniquely determined by S D L.) 

Then T := TsTl is a maximal torus of G. 

Find Ns(Ts) and Nl(Tl) using ^5 and ^ l- The above observations concerning 
G imply that T < N := (N S (T S ), N L (T L )) and iV/T is the Weyl group of G. 
From this point on we will no longer explicitly use S. 

3.4. Root groups. Let {0:1,0:2} be a base for a root system $ associated with 
the Weyl group N/T, with ai long. Let v — lax + 3o2 be the highest root, and 
label Z = X v and Z~ = X_ v . 

Find the two (short!) root groups of L normalized by T using pick one of 
them and label it X a2 , then label the other one X^ a2 . The TV-conjugates of X± v 
and X± a2 are the 12 root groups of G normalized by T; the action of N labels each 
as X a with a 6 $. 

Coordinatize L using ^l, obtaining X± a2 (fk), n a2 (l) and h a2 (fk) for /& G F . 

Time: 0(^glog 2 q), dominated by O(e) uses of Theorem II. 3f iii.iv') for ^l- 

As in Section [5321 we- next show that G maps onto Go := (X a \ a G $): 

Proposition 3.5. There is a deterministic O (jj, log 2 (7) -time algorithm that labels 
any given element of any root group X a , a € as A" Q (£) /or some i 6 F or F , in 
such a way that the map X a (fk) <— > X a (fk) {for all appropriate a and k) extends 
to an epimorphism : G — > Go . 

Proof. By (|3.2[) . Tl acts transitively on the nontrivial elements of X av Thus, 
we can choose any nontrivial element X ai and label it X ai (l), after which the 
remaining labels X ai (fk) are forced by (|3.2[) . Namely, h a2 (t)~ Aa 2- c "i/ 3 conjugates 

2 

X ai (l) to X ai (tt q t q ). Applying this for distinct t = fk,fk + l,afk + 1 in F gives 
us X ai (u) for u — /|, (fk + l) 3 and (afk + l) 3 - We may assume that p ^ 3 (as 
otherwise the elements /| span F). Since fx = 1, it is easy to see that we now have 
obtained all of the elements X ai (fk)- 

By the rank 2 analogues of (|2.7[) and (|2 . 10[) . we can now coordinatize la" 2 ' 1 ' = 

X— ai — 3c*2 ' 

By (E3D, [[X a2 {l),X ai (f k )},X ai (l)\ =x 

2a 1 +3a 2 ( e ai +3q 2 .01 e a 2 ,ai / fc ) whenever 

/fe G F, so we can coordinatize X2 ai +3a 2 - 

For each element x in an F p -basis of A_ Ql , find its coordinate u via the rela- 
tion [A 2qi+3q2 (1),x] = X ai+3a2 (e 2 a 1 +3a 2 -a 1 u) in (|3~T|) by using linear algebra in 
A Ql +3 Q2 . This produces the coordinates of a basis of X^ ai and hence of any given 
element of X_ ai . 

Use (|2.7p and (|2 . 10[) to coordinatize all (n ai (l),n a2 (l)}-conjugates of X ai and 
X a2 , and hence of all root groups X a . 

Thus, we have obtained a map ^:X a (fk) X a (fk) (for all appropriate a 
and k). Verify (|3 . 1 1) in order to show that ^ extends to an epimorphism G — >• Go- 
As in the proof of Proposition 12 .33} this algorithm is deterministic, and runs in the 
stated time. □ 
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3.5. Linear algebra in Q/Z. Next we imitate Section f2. 141 

Effective transitivity of the subgroup Q. Lemma [2.361 holds for Q := (X a \ 
a e <I )+ ), using the exact same proof, still requiring 0(t;q log q + fj,q\og 2 q) time and 
still succeeding with probability > 1 — 1/2 10 . 

Linear algebra in Q/Z. If we exclude G2{q) with p = 3, this is the same as in 
Proposition 12 . 371 Namely, Q is still of "extraspecial type" (i.e., it behaves exactly 
as in Lemma [2.18f ii)). and we can again peel off the root elements by commutations 
as in the proof of Proposition 12.371 

However, since this "peeling" involves traces of field elements, we will be more 
careful. List the positive roots 2ot\ + 3ct2 = v, oti + 3a2, ol\ + 2a2, ot\ + ot2, a>2, ai- 
Our given g £ Q can be written g — ri 7 e*+\$ I , -^7(^7) m this order, and we must 
find the field elements t 1 . 

By ()3.1|) . X ai+ 3 a2 commutes with the positive root groups other than X ai . 
Since [g,X ai+3a2 (l)] = X 2 a 1 +3a 2 ( e a 1 ,a 1 +3a 2 'ajj &s in Lemma EZXHfi) we deduce 
t ai using linear algebra in F. 

Let 9l := gX^^)- 1 . By (gU), 

9l '■= [5ll^ai+Q2(l)] = [^a 1 +2a 2 (ta 1 +2a 2 ), X ai+a2 (l)][X a2 (t a2 ),X ai+a2 (l)] 

q q^ q 

= X ai +2a 2 ( e Q 2 ,Qi+Q 2 i^a 2 ^a 2 ))^"ai+3a 2 { f la 2 ,ui +a 2 T(^a 2 ^a 2 )) ' 

X 2 a 1 +3a2 (^«2 ,ai+a2 T(£a2 )) ^2ai +3ct2 (^ai +a 2 ,a\ +2a 2 ^(^Qi+2a2 )) ' 

Then [g[, X ai (e ai+3a2 . ai 1)] = X 2 

ai+3a2 {jla 2 ,cxi+a 2 ^^OL 2 ^'ct 2 )) §i^eS US T(£ a2 £ a2 ). 

Also, 

[5l j -^-oi (£qi+3q2,-oi 1)] = -^-a!+3a 2 ^a 2 ,ai+a 2 r ^(ta 2 ) + ^a±+a 2 ,a\+2a 2 T (t ai +2a 2 )) j 

9iWiiX ai (e a i+3a 2 ,ail)]~ 1 [5i; AT_ Ql (e Ql+ 3 Q2i _ Ql l)] 1 

2 

— X ai J r 2a 2 ( e a 2 ,ai+a2 ('«2 ^a 2 )) ■ 

Hence, we deduce ^ + if 2 . The identity (£ a +f£)(t* a +tf 2 ) 9 = (tl 2 ) 2 + T(i Q2 t* 2 ) 
along with T(i Q2 i^ 2 ) give us (£„ 2 ) 2 and hence also t^ 2 up to sign. Since we already 

know i + f Q , we deduce i^ 2 and hence also t a2 . 

The same procedure, with the roles of ct2 and a\ + a 2 reversed, yields t ai+a2 . 
Let g 2 := 5iX Q Jt Q J _1 X Ql+Q2 (t Ql+Q2 ) _1 . As above, 

[52, A^ ai (e Ql+3Q2iQl l)] = X 2ai +3a 2 (e Q i+3Q 2 ,Qi*ai+3a 2 ) 

yields t ai+3a . 2 . We obtain i2ai+3a 2 an d ^ai+2a 2 similarly. 

As in Proposition 12.37) this linear algebra routine is deterministic, and takes 
O(^logg) time. 

3.6. Proof of Theorem 11.11 for rank 2. We can now complete the proof of 
Theorem 11.11 

Straight-line programs. The analogue of Proposition |2~3T)1 is proved in the same 
manner as in that proposition. The timing for the analogue of Proposition ^. 39T iii) 
is 0(£|F'| logg + /j.\F'\ logg), dominated by finding the elements u and u' occurring 
in the proof of Proposition 12.391 and finding straight-line programs in L. 

Completion of proof. This is exactly as in Section 12.161 in view of Proposi- 
tion [3?5] and the analogue of Proposition 12.391 As usual, (viii) is unnecessary since 
Z(G) = 1. □ 
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4. Concluding remarks 

1. Small q. When q < 9, in place of Lemmas 12.241 or 13.31 we can simply find 
exact orders of elements (replacing the stated I by / :— \T*\ using (|2.15p ). We still 
need the fact that q > 3 in order to have elements behaving as in the conclusions 
of Lemmas 12.24( 1) or I3.3I T) . We also used the fact that q > 4 in order to avoid 
exceptional universal covers. 

When q — 9, two opposite long root elements never generate an SL(2,9), but 
instead generate SL(2,5). However, as in Lemma r2.28[ i). inclusion of a third long 
root element generates SL(3,9) with high probability, after which the rest of our 
algorithm goes through. 

For q > 4, in rank > 2 the only other needed change is (possibly) to select more 
elements in order to handle the fact that the probabilities in situations such as 
Lemmas 1 2 . 241 and 1 2 . 261 [2T281 are no longer as high as in those lemmas. 

However, for rank 2 a different approach is needed when q is 5 or 7: in Section ^. 3[ 
elements of Cc(i?) of order q — 1 and q + 1 need not generate Cc(R)- One way is 
to use the fact that elements of the stated orders generate Cq(R) with probability 
> 1/2, while another proceeds as in Remark [B] below. 

2. Speculations on implementation. We expect that versions of the algorithms will 
be implemented. For rank > 2 we suspect that there is no need to find J. Instead, 
(Cs(L),t) or (Cs(L),t, r ) appears to be the desired group L when q > 2 (in 
the notation of Section |2~9"1) . For example, if G does not have type Eg then L is 
essentially a classical group, and (Cs(L),t) or (Cs(L),t, to) acts irreducibly and 
primitively on its natural module. Now the ppd-orders and [GPPS] can be used 
to obtain a small list of possibilities to check, and presumably to rule out most of 
them by careful examination of the elements r and To . 

3. The omitted groups 2 Fi(q). We expect that the groups 2 Fi(q) will eventually 
be handled in a manner resembling Section 3. However, those groups involve more 
intricate commutator relations than other groups of Lie type. 

The natural representation of 2 F4 : (q) is dealt with in |Baa4j . assuming the cor- 
rectness of a complicated conjecture concerning ¥ q = F 2 2 e +i and of a conjecture 
concerning the actions of elements of 2 F^{q) on the natural module. Apparently this 
approach does not work for other absolutely irreducible representations of 2 F^{q) 
in characteristic 2. 

Remarks 0][6] concern variants of Theorem 11.11 that {almost) run in polynomial 
time. However, these have yet to be carefully checked before there can be a sequel 
to this paper. 

4. The factor q and oracles: rank > 2. Our algorithm searched for a long root 
element z G G, and then (z, z 9 ) (g G G) is guaranteed to be a proper subgroup 
of G. In fact, with high probability (z,z 9 ,z h ) (g, h € G) is a long root SL(3,g). 
Unfortunately, the probability of finding by random search an element for which 
some power is a long root element is unreasonably small for groups defined over 
large fields. An alternative strategy is to search for semisimple elements closely 
related to long root elements. 

This was accomplished in a number of the papers cited following Theorem 11.31 
More significantly, the factor q in the timing of analogues of Theorem 11.11 was re- 
moved by assuming the availability of an SL(2, q)-oracle to constructively recognize 
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SL(2, q) as well as a Discrete Log oracle for F*, and possibly also for "L q +\ (cf. 
Section [T]). Then suitable p'-elements were used to construct subgroups such as 
SL(3,g), SU(3,<?) or Sp(4,g). 

Here we comment on the requirements in order for this approach to be used 
with exceptional groups of rank > 2 when q > 4. Find and use an element r of 
order ppd"(p; e)l or ppd"(p; 2e)l in the notation of Lemma 1 2. 241 such an element is 
obtained as the product of elements of R = SL(2,q) and L = Cg(R)- The element 
r needs to have two further properties: (a) t 1 lies in a long SL(2,q), and (b) two 
conjugates of r' probably generate a subgroup containing long root groups (in which 
case a long root group is obtained via constructive recognition of the subgroup). 

Condition (a): As in Section T2.51 we obtain an element t 1 of a long SL(2,g), 
except perhaps in type F4 where this might belong to a short SL(2, q). In the latter 
case, we obtain an element of order p of this SL(2, q), and then proceed exactly as 
in Section l2~5l to distinguish long and short root elements in odd characteristic (or 
use Remark [6] below) . 

There is a problem with the first element order |r| = pi in Lemma [2. 241 for Ej(q). 
This is the only instance with a factor ppd (p; e)ppd (p; 2e). One way around this 
difficulty is to modify Lemma \2. 251 use elements t\ of order ppd'(p; e)ppd"(p; 9e) 
and T2 of order ppd"(p; 2e)ppd"(p; 18e) normalizing subgroups of type Ee(q) and 
2 Eq (q) , respectively. Once conjugates of the powers r[ q ~^^ 9 and rif +1 ^^ q +1 ) 
have been arranged (by conjugation) to generate a subgroup Spin^g) we will have 
two commuting long subgroups R = R\ = SL(2,g); and once other conjugates of 
r[ q 1 ''( q 1 - ) and r^f +1 ^^ q +1 > have been arranged to lie in that long subgroup 
R = SL(2,g) then {R u rf" 1 , r« +1 ) will be L = C G (R). 

Condition (b): If t 1 lies in a long SL(2, q) then two of its conjugates lie in the 
group generated by two such subgroups SL(2, q), and hence for rank > 2 everything 
reverts to an orthogonal group setting [Ka2l Proposition 3.2], where the required 
(probable) generation was proved in [BrKll IBrK2] . 

Starting from a long root element obtained by generating a suitable subgroup 
in this manner, and assuming the availability of suitable oracles, the remainder of 
our algorithm goes through. These oracles are the aforementioned ones for SL(2, q) 
and F*; and, in the 2 Eq case, one for Discrete Logs in Z g+ i (cf. |Br2j ). 

5. Rank 2, even q. The method in the preceding Remark also works for type G2 
in characteristic 2, using an element of order 3ppd (p; 5e) when G = G^q) (where 
5 is 2 if 3 I q- 1 and 1 if 3 | q+1). 

Unfortunately, when q is even 3 Di{q) does not possess any class x G of semisimple 
elements for which (x,x 9 ) (g S G) is a proper subgroup with high probability. 
Therefore, our approach in Section [3] appears to be the only option for these groups. 

6. Odd q and involution centralizers. There is a different way to handle part of 
Theorem 11.11 that can produce a long SL(2, q) in polynomial time when q is odd, 
assuming the availability of suitable oracles as in Remark 21 With high probability, 
a random element has even order and a power is an involution t conjugate to the one 
in R. (There may be other involutions encountered, but the desired conjugacy class 
will occur with high probability.) Then Cc(t) — Ro L can be found in polynomial 
time with high probability Bor, Br, HLORW] IPWj . after which it is easy to find 
both R and L. As in Remark 21 given suitable oracles the rest of our algorithm 
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appears to go through. Note that, using this approach, we have already obtained 
the crucial subgroup L, and hence there is no need for the subgroup J. 

In rank 2, the 3 D^{q) case appears to need oracles to constructively recognize 
SL(2, g 3 ) and for Discrete Logs in F* 3 . 

7. Rank 1 groups. An early version of this paper contained Las Vegas algo- 
rithms for handling rank 1 exceptional groups - Suzuki groups Sz(q) = 2 B 2 (q) and 
Ree groups 2 G2(q) - except for timing that involved a factor q 2 or q 3 , respectively, 
as well as use of a length 0(q 3 log 2 q) presentation for 2 G2(q). (This result implies 
that, in Corollary 11.21 there is no need to exclude 2 G2{q) composition factors.) 

However, that older approach now seems far less interesting. A lovely black box 
Las Vegas algorithm for Sz(g) is in jBrB] , with timing involving a factor q. An 
alternative approach (Baal, Baa2] deals with Sz(q) as a matrix group and avoids 
any such factor but assumes the correctness of a complicated conjecture concerning 

¥ q = F 2 2e+1. 

The Ree groups 2 G2(q) were studied in [Baa3| as 7-dimensional matrix groups 
using an involution centralizer and an SL(2,q) oracle (cf. Remarks [4] and [6]) , this 
time assuming a complicated conjecture concerning the field ¥ q = F 3 2e+i. There is 
some hope that a different use of an involution centralizer (together with suitable 
oracles) can handle the black box setting without a need for any such conjecture 
or any factor q in the timing. 

Acknowledgement: We are grateful to the referee, as well as to Peter Brooksbank 
and Akos Seress, for many helpful comments and suggestions. 

Appendix: The group E 7 (q) and its Lie algebra 

The proof of Lemma l2.32l required finding g £ L = E 7 (q) such that ((S Pi L) 1 ]/^ 1 ) 5 

= S fl L. Since A := (S f) L)^^ 1 and S CI L are conjugate in L, we can use the 
behavior of the latter group in order to deduce properties of the former one. 

The group Cg(S) — E 6 (q) acts on the Lie algebra C(E 7 (q)) of L, decomposing 
it as 133 = 78 © 27 © 27* 1, where 78 is the Lie algebra C(E 6 (q)) of Gg(S), 
the 27s are the usual dual pair of irreducible Cg,(S')-modules of that dimension, 
and the 1-space is centralized. The torus SDL centralizes Cq(S) = Eg(q); each 
of its elements acts as a scalar p on 27 and p _1 on its dual 27*, so that S H L is 
nontrivial on both of those subspaces (since q > 2); and each of its elements is 1 
on £(£ , 6(?)) since each is both an automorphism of that algebra and a scalar by 
Schur's Lemma. Then S f]L centralizes 78© 1, so that 78 is the derived Lie algebra 
G C (E 7{q)) (SnLy=£(E 6 (q)). 

With this background we proceed as follows. Find C njj; 7 tq\\{A) an d then 
^C(Er(q))^ ~ ^(-^ 6 (?))' usm § elementary linear algebra. 

Find a Chevalley basis {e a ,e- a ,h a \ a £ $6} of C c{E 7 (q))(A)' using |CM[ICR] . 
Let A 6 be a base for $ 6 - 

Find the linear transformations E a {t) — &dte- a and E— a (t) — &dte- a for a 6 
Ag and t = fk or — f^ 1 in F; and then also h a {fk) as in (|2.7j) . Then (h a (¥*) \ a £ 
Aq) is a maximal split torus of a group (isomorphic to Ee(q)) of automorphisms of 

G C(E 7 (q))( A y- 
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We saw above that A is 1 on the 78-space G£/E 7 (q)) (A) 1 . It follows that Tj := 
(h a (fk),A | a £ A 6 , 1 < k < e) is the direct product (h a (ff.) \ a £ A 6 , 1 < k < e) x 
(A), and hence has the correct order (q — l) e (q — 1) to be a maximal torus of L. 

We can now obtain a Chevalley basis of £(i?7(g)): diagonalize the action of T7 
on C(Ef(q)) and normalize the basis as in [Call Sec. 4.2]. 

We now have two Chevalley bases of C(Ef(q)): the one we started with (which 
was implicitly used to write the generators of E?(q) in the presentation (|2.2I) 
(|2.5jl ). and the one just constructed. Let g be the linear transformation effecting 
the corresponding base change. It is in Er(q), so we can use our E-;{q) algorithm 
for Theorem ll.lf iv) (a recursive call) to write it using a straight-line program in 
the generators of L, as required. 
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